A new zero-day vulnerability, CVE-2021-40444, was found lurking in Internet Explorer, making it possible for hackers to exploit exposed Windows systems via malicious Office documents.
Related: CVE-2021-36948 Zero-Day in Windows Update Medic Exploited in the Wild
CVE-2021-40444 RCE Flaw Used in Targeted Attacks
The remote code execution vulnerability, rated with a CVSS score of 8.8, stems from the MSHTML (Trident) proprietary browser engine for Internet Explorer. The engine is also utilized in Microsoft Office to render web content within Word, Excel, and PowerPoint documents. According to Microsoft, the vulnerability has been weaponized in targeted attacks using specially-crafted Office documents.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” the company’s advisory says.
It is also noteworthy that Windows users that rely on automatic updates don’t need to take any additional action to address the CVE-2021-40444 vulnerability. However, enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments, the company adds.