skout-blog

Cybersecurity Threat Advisory 0061-21: Office 365 Zero-Day Attacks

Threat Update

Microsoft has released a mitigation for a vulnerability which exists on Windows 10 and can be exploited against Office 365 and Office 2019. Identified as CVE-2021-40444, this vulnerability could allow attackers to execute arbitrary code on a device if exploited. Because Microsoft Office is used and trusted by millions worldwide, attackers could potentially launch very large scale attacks, and this vulnerability has a severity rating of 8.8 out of 10. SKOUT has attached recommendations below in order to prevent devices from becoming susceptible to this vulnerability.

Technical Detail & Additional Information

WHAT IS THE THREAT?

CVE-2021-40444 – Remote Code Execution Vulnerability

This vulnerability exists on Windows 10 and can be exploited against Office 365 and Office 2019. It is a flaw in MSHTML (browser rendering engine) and it could allow attackers to execute potentially malicious arbitrary commands or code on a device. This attack has largely been exploited through phishing campaigns where attackers will convince an end user to open a specially crafted malicious Microsoft Office document.

WHY IS IT NOTEWORTHY?

Thousands of individuals and businesses use and trust Microsoft and Windows products. Microsoft products are key to everyday business across the globe, and their popularity has made them a frequent target for attackers looking for a wide scope of potential targets. It is very important to take any recommendations released by Microsoft seriously and keep these devices/services updated regularly. This is a major step in preventing vulnerabilities from being exploited.

WHAT IS THE EXPOSURE OR RISK?

Any vulnerability that has to do with Microsoft devices or services always comes with a lot of cause for concern, as so many Microsoft devices are integrated into everyday business. This zero-day exploit in particular could potentially allow attackers to execute remote code. This could lead to several possible compromises, such as denial of service attacks, the deletion or creation of files and even complete system compromises. Many companies rely on sensitive data stored on their Windows machines remaining private and being able to use these machines to conduct everyday business. This vulnerability put these expectations at potential risk if it is exploited by attackers, so it is very important to ensure Microsoft’s recommendations are followed.

WHAT ARE THE RECOMMENDATIONS?

This vulnerability can be exploited on:

  • Window Server 2008 through 2019
  • Windows 8.1 through 10

Microsoft says that this vulnerability cannot be exploited if Microsoft is running under the configuration in which documents from the internet are opened in Protected View mode or Application Guard for Office 365. This is the default configuration for all Windows devices


Apply Windows registry update, which makes downloaded ActiveX controls inactive, while keeping already existing ActiveX controls in place and functioning.


More information on how to apply these remediations can be found in the links within the references section of this advisory.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.