Since there are no security patches for a security hole in Windows that attackers are currently targeting, Microsoft advises administrators to secure systems with interim solutions. But according to security researchers, these do not protect reliably. The situation is exacerbated by the offer of exploit code in hacker forums.
Attackers are currently attempting to infect Windows PCs with malicious code using prepared Office documents. Through a security vulnerability (CVE-2021-40444 “high“) in the HTML rendering engine MSHTML of Windows a Trojan could get onto systems after opening such documents. A security patch for Windows 8.1 to 10 and Windows Server 2008 to 2019 is not yet available and will most likely be released on Patchday in this week.
Workarounds do not provide optimal protection
After opening prepared Office documents, ActiveX controls ensure that malicious code ends up on computers. To prevent that, Microsoft advises admins to do so in a warning messageTo disable ActiveX for Internet Explorer. Later it turned out that such an attack can also be triggered via the document preview in Windows Explorer. Microsoft has the Warning message Added another workaround to deactivate ActiveX in Explorer.
In the meantime, however, security researchers are reportingthat such attacks should also be possible without ActiveX. How this works in detail is currently not known. According to Microsoft, Office’s protective mechanism for opening files from unknown sources in Safe Mode is designed to protect against such attacks. An attack can only be successful if a victim allows processing.
For Office to open Word documents from the Internet in safe mode, for example, the files must be marked as Mark of the Web (MoTW). This is usually the case when downloading Office documents directly. If such a document is found in an archive, however, the MoTW marking is not given and the protective mechanism does not work, warn security researchers. In addition, attacks should also work with prepared RTF documents, for which Safe Mode is not applicable.
Attacks possible for everyone
According to entries in a hacker forum, the attackers have already optimized their exploit. There is also a comparatively simple step-by-step guide on how to create your own payload for attacks. That could result in a lot of free riders attacking Windows via the loophole.
According to security researchers, antivirus scanners such as Microsoft Defender should detect and block the current exploit. The attackers can modify their code at any time, so that the manufacturers of anti-virus software have to follow suit first.