Several authorities have issued a warning about a critical vulnerability in Internet Explorer on Office documents. In the absence of a fix, Microsoft has provided workarounds.
Using Protected View by default in IE can avoid being affected by the vulnerability (Credit Photo: Microsoft)
The CISA and the French Cert sent an alert on the discovery of a critical vulnerability in Internet Explorer (still widely used in companies) . Microsoft posted a newsletter of specific security on this breach, known under the identifier CVE-2021-40444 . It has a severity level of 8.8 on a scale of 10 and affects Windows Server 2008 to 2019 and Windows 8.1 to 10. The flaw has been reported by several researchers from different firms: Haifei Li from Expmom, Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang -all three from Mandiant, and Rick Cole from Microsoft Security Intelligence.
The flaw takes advantage of the MSHTML rendering engine used by Internet Explorer to open and read Office documents. An attacker can create a malicious office file, send it by email, and if the user clicks on the document, the vulnerability allows the attacker to take control of the PC. "A hacker could create a malicious ActiveX control used in an Office document hosting the browser rendering engine", specifies Microsoft.
Mitigation means to apply
Remote code execution therefore requires user intervention, which prompts the Redmond firm to recall simple rules of computer hygiene such as not opening unreliable documents. However, hackers often redouble their ingenuity to carry out spear phishing actions which can be formidable. Microsoft has not yet published any correctif on CVE-2021-40444, but to give mitigation recommendations.
First, it pushes users to disable all ActiveX controls in Internet Explorer. Then Microsoft specifies that if the PC is configured (as it should be), the document is opened in Protected View or Application Guard for Office mode with a warning "attention, this file comes from ..." and asks for confirmation for be able to modify it. If these two applications are enabled by default, the vulnerability is not active. Finally, the publisher notes that standard users are less affected than those with full administrator rights.