New Windows Zero-Day RCE Vulnerability Exploited

The remote work era created a haven for threat actors. Windows announced a new zero-day RCE vulnerability currently being exploited in the wild.

As we fast approach the two-year mark of the coronavirus pandemic, numbers continue to rise in many parts of the world. New variants continue to emerge, vaccine resistance and a refusal to wear masks are combining to keep the pandemic alive. Still, some businesses continue their in-person returns while others remain hybrid or fully remote. The era of remote work bred an increase in cyberattacks, the discovery of new vulnerabilities, and put an emphasis on cybersecurity in general. Developers and security personnel can’t keep up with all of the fixes before the next threat rises up, as is evidenced by a new zero-day RCE vulnerability in Windows that allows attackers to craft a malicious ActiveX control to be used by Microsoft Office documents.

The vulnerability lies in MSHTML, and Microsoft says that it is “aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” according to the advisory issued by Microsoft on Tuesday. Because exploitation has happened and is still being actively pursued in the wild, CISA put out its own advisory to alert users and administrators to the problem.

With this vulnerability, an attacker creates a malicious ActiveX control that can be used by an Office document that hosts the browser rendering engine. Then, the threat actor needs the user to open the document for the attack to work. Microsoft also said that users who have limited privileges on systems could be less impacted than those with admin privileges. This is another reason IAM controls matter, when a user doesn’t need access to something, make sure they don’t have it. Restricted access for certain employees means less surface area for a hacker to target. Current mitigations and workarounds can be found on the Microsoft advisory.

It would be nice if that was the end of it, but it isn’t. Microsoft is still investigating this vulnerability to see if anything else could be impacted. This is MSHTML, which is used by many applications today, not just Office. Any application that automatically detects your proxy settings is likely to use MSHTML under the hood. Now that’s not to say that this vulnerability affects any of those applications, but it is something to keep in mind as Microsoft continues to investigate.

According to ThreatPost, “Malicious Office documents are a popular tactic with cybercriminals and state-sponsored threat actors, and the vulnerability give them “more direct exploitation of a system and the usual tricking users to disable security controls,” observed John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich.

“As this is already being exploited, immediate patching should be done,” he advised. “However, this is a stark reminder that in 2021, we still can’t send documents from point A to point B securely.””

A stark reminder, indeed. It should also serve as a reminder that developers in general are already overworked and burning out. Those who deal with security are inching ever closer to the brink. It’s not just securing critical vulnerabilities, though. It’s dealing with the critical vulnerabilities on top of the other patches that have to be done. In August 2021 alone, Microsoft updated 44 flaws. That’s just Microsoft. Most businesses use several vendors for various software, hardware, cloud and storage solutions. Every single piece of technology requires updating in order to remain secure. Remember, too, that patches don’t just fix security bugs, they fix bugs that cause problems with other pieces of software and make updates for user experience, which can be anything from design to new/upgraded features.

Cybersecurity is going to be on the minds of business owners for a long time. Attacks are not slowing down, criminals are emboldened by successful ransomware attacks and there are not enough people to keep pace with it. This is where your team, your business, needs a third party. Bring in some outside help, an expert to help tighten up your security and apply patches and ensure you are compliant.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY