Microsoft Warns of Attacks Exploiting MSHTML Zero-Day in Windows, Offers Mitigations

A new remote code execution vulnerability in Windows can be exploited to take over an affected system, Microsoft announced this week. And researchers warn the company’s mitigations may not be enough to protect against attacks.

Microsoft this week said it became aware of targeted attacks that attempt to exploit a vulnerability in MSHTML by using specially crafted Microsoft Office documents.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” the advisory from Redmond reads.

“The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Right off the bat, Microsoft tells customers to “keep antimalware products up to date,” and assures those who rely on Windows’ built in security tools that they provide “detection and protections for the known vulnerability.”

The company said Tuesday that one simple mitigation is to leave the ‘Protected View’ dialog that kicks in when Windows sees the ‘Mark of the Web’ (MoTW) tag, which tells Windows the file came from the Internet.

“By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack,” it said.

However, security researchers quickly took to Twitter to show that attackers have ways to trick Windows into skipping the ‘Protected View’ prompt, such as dressing the document up as an archived ZIP file, or by simply switching to the Rich Text File (RTF) format.

Another workaround pushed by Microsoft is to disable the installation of all ActiveX controls in Internet Explorer.

“This can be accomplished for all sites by configuring the Group Policy using your Local Group Policy Editor or by updating the registry,” Microsoft wrote. “Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.”

The advisory offers granular instructions on how to accomplish this, as well as how to undo the workaround when needed.

Patch Tuesday is just around the corner, but it’s unclear whether the September 14 update will include fixes for this newly emerged flaw.

Regardless, users should keep an eye out for suspicious, unsolicited emails hitting their inboxes with attachments. One example shared by researchers this week was a fake letter from an alleged attorney titled “A Letter before court.”

As a general rule, users should not download, let alone open, files from unknown sources, especially if they arrive via unsolicited emails that claim the user must take some immediate action.