Follow us

A new MS Office Word RCE casing havoc by users

According to Microsoft, hackers exploit remote code execution (RCE) vulnerability (CVE-2021-40444).

Updated: October 11, 2021 By Ozair Malik

The exploit bug in Microsoft office leaves system data at stake, the image shows the lock which the user applies is unsealed through the RCE bug...

Image source – vonahi.com

The MS Word RCE exploit attack uses fraudulently created Microsoft Office files that use the MSHTML browser rendering engine to open an ActiveX control. The ActiveX control shares the user's private information with the attack's mastermind, putting users' sensitive data at risk.

Microsoft office RCE bug lets users at risk of data exploitation, creating unrest among users and dropping their trust level on public domains. In our daily routine in 21st Century, the most used app is, without a doubt, the Microsoft Office suite apps, and seeing bugs on this large scale has created agony among users, and are in dilemma that for how long they have been a sufferer of this attack and how much of sensitive data they have lost till yet at the hands of this vulnerability on account of Microsoft.

Ever since the exploit has been mainstream, users have been under immense pressure, as no one knows how much of their sensitive information has been sold to their sole competitors. In this era, all presentations and important confidential files are stored in .doc files, a Microsoft product.

The Microsoft Office users

According to a report published by Microsoft itself in January 2021, it quotes the number of users of Microsoft office; it says

Microsoft approximately provides service to the number of Office 365 active users in January 2020 but uses October 2019 as a base with three months of average growth to January 2020 and a 15% uplift. We get to a current figure of approximately 240 million active users.

– Microsoft

The number now traces to approximately 290 million active users as of August 2021.

A bug to be caught in such a high-scale product seems a setback to the manufacturer, losing its loyal customers. Over the years, the bug needs to be sorted as early as possible, or Microsoft could lose a mighty fortune over it in the days to come.


Details about the bug

The flaw is in MSHTML, Internet Explorer's rendering engine.

Although few people use Internet Explorer anymore (even Microsoft encourages switching to Edge), the old browser is still a part of modern operating systems. Several other apps use its engine to handle Web information. Microsoft Office apps such as Word and PowerPoint, in particular, rely on it.


Working of the attack

The attacks take the form of malicious ActiveX components that are embedded in Microsoft Office documents. The controls allow arbitrary code execution; the records are most likely sent as e-mail message attachments. Attackers must persuade victims to open the file, just as they must persuade victims to open any attached document.

In principle, Microsoft Office can avoid a CVE-2021-40444 attack by using Protected View or Application Guard for Office to handle documents received over the Internet.

Users can, however, disable Microsoft's security safeguards by pressing the Enable Editing button without pausing to ponder.

In the last few days, Microsoft's respect has been in tatters after the CVE-2021-40444 exploit. But Microsoft, a company of people, has started working on removing the bug until Microsoft advises to avoid uncertified sources.


Expmon role

The attacking approach is 100% reliable, according to Expmon, one of several security firms that reported the zero-day flaw to Bleeping Computer, making it exceedingly risky. When a user opens the document, malware from a remote source is loaded. The Expmon discovered the bug and said it doesn't limit to word files but all the suite products of Microsoft; an advisory came from Expmon as:

EXPMON system detected a highly sophisticated #ZERO-DAY ATTACK ITW targeting #Microsoft #Office users! At this moment, since there's no patch, we strongly recommend that Office users be extremely cautious about Office files - DO NOT OPEN if not fully trust the source!

-Expmon Official Twitter Handle

As of Microsoft report, it is stated as:

Any document that uses MSHTML has the potential to be a vector. Microsoft does not yet have a cure for the security flaw, although the bug report does include several mitigating options."

 - Expmon

Microsoft's is keeping updated it, users through this forum: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444.


Protection from attack

  • Install a security solution at the corporate mail gateway level or enhance Microsoft Office 365's standard security features to protect corporate mail from attacks.
    Providing security solutions capable of identifying vulnerability exploitation on all employee computers;
  • Raise employees understanding of modern cyber threats, including reminding them not to open documents from unknown sources or turn on editing mode until essential.
  • Apart from being cautious while viewing Office documents, the default setting of Microsoft -Office opens files in Protected View mode, which mitigates the assault (Application Guard in Office 360). The exploit is also prevented from running by Microsoft Defender Antivirus and Defender for Endpoint.
  • Users can also block the installation of all ActiveX components in Internet Explorer, according to Microsoft.

A registry file (.reg) is required for this solution, which may be found in the issue report. The new entries are added to the Windows registry when the REG file is run. For the changes to take effect, you'll need to restart your computer.


Conclusion

Microsoft has stated that it will investigate the situation and, if necessary, issue an official patch. However, we do not anticipate a fix before October 14, Patch Tuesday.

Under typical circumstances, Microsoft would not publicize a vulnerability before releasing a remedy, but because thieves are actively exploiting CVE-2021-40444, the company advises using a temporary workaround right away.

The fix requires adding a few keys to the system registry that prevent the installation of new ActiveX components. Microsoft gives extensive details about the flaw.

Tags: 
News
Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Write a review

click to select