Microsoft shared a workaround for a remote code execution vulnerability in browser rendering engine MSHTML that is used by Microsoft Office documents and is being exploited in targeted attacks against Office 365 and Office 2019 on Windows 10. The vulnerability tracked as CVE-2021-40444 affects Windows Server 2008 through 2019 and Windows 8.1 through 10 having a CVSS score 8.8 out of the maximum 10.. The attacker exploits this vulnerability by convincing the user to open the malicious document containing crafted ActiveX control to be used by a specially-crafted Microsoft Office document that hosts the browser rendering engine. Successful exploitation of this vulnerability allows attacker system takeover with currently logged-in user privileges.
Microsoft have stated that systems with active Microsoft’s Defender Antivirus and Defender for Endpoint benefit from protection against attempts to exploit this attack (CVE-2021-40444). Microsoft’s security platforms will display alerts about this attack as “Suspicious Cpl File Execution”
Disable the installation of all ActiveX controls in Internet Explorer mitigates this attack. Refer to the reference URL for instructions.
Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
Provide phishing awareness training to your employees/contractors. Keep Anti-malware solutions at the endpoint and network-level updated at all time.
Deploy Endpoint Detection & Response (EDR) tools to detect latest malware and suspicious activities on endpoints.