Attackers are using specially-constructed Microsoft Office documents to exploit the flaw in Windows 10 and Windows Server.
Microsoft has warned of a zero-day flaw present Windows 10 and some versions of Windows Server that is being actively exploited via Internet Explorer and Microsoft Office.
The issue, called CVE-2021-40444, affects Microsoft MHTML (also known as Trident), the engine that powers Internet Explorer as well as some web functions in Microsoft Office programs.
According to the company, hackers are engaging in “targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents”.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document,” it said in a security update.
Microsoft noted that its Defender antivirus software can detect and protect against the attack, and that users who have less than complete rights on a system are less vulnerable to the attack than administrators.
The company advised users to keep their security software up to date, and that it will issue a fix as soon as possible.
Security researchers have also said that Microsoft Office’s Protected View, which is automatically enabled for documents downloaded directly from the internet, blocks attacks using this exploit. However, there are ways for attackers to avoid Protected View, such as by packaging a document in a zip archive.
Microsoft also said that disabling new ActiveX controls in Internet Explorer can mitigate the attack, though researcher Kevin Beaumont said on Twitter that he had found a way to bypass this measure.
Internet Explorer has been officially retired in favour of Microsoft’s new browser, Edge, but its final iteration continues to receive security updates. The application will begin to be phased out of support for Windows 10 users in June 2022, but still makes up more than 2pc of global browser usage according to Kinsta.