Microsoft® Reports “Zero-Day” Attacks Using Tainted Office® Files
Microsoft®reports a previously unseen “zero-day” attack that uses Office® files tainted with specially crafted Active X controls. Once opened, these controls create a vulnerability that enables perpetrators to perform remote code execution. It allows them to install malicious software, deploy ransomware, and steal confidential information. Users with administrative rights on their machine are considered to be more likely to be impacted.
Microsoft has indicated that the default settings in Microsoft Office provide users with protections against this threat. Default settings open documents downloaded from the web in “Protected View” or via “Application Guard for Office,” and would not automatically implement the Active X control, unless users turn off these protections.
An additional workaround has been provided in the Microsoft vulnerability announcement, namely, to disable all Active X controls in MSHTML. This can be accomplished by modifying the registry via the registry editor. Microsoft warns that this approach can be dangerous, as missteps in registry editing can affect the larger operating system.
Microsoft has indicated that it will likely provide a security patch for the discovered exploit, either during or outside of its typical patch schedule.
ACA guidance
The zero-day exploit uses Office files tainted with malicious Active X controls in MSHTML to gain entry into systems via remote code execution. MSHTML is used by Microsoft Office to render web content in Office documents – thus the threat is widespread. The severity of the danger is likewise confirmed by the U.S. government’s Community Emergency Response Team (CERT), which has tweeted similar information on the exploit.
ACA recommends:
- Notify all users of the exploit, and the need to refrain from opening any suspicious or unexpected office documents.
- Ensure the default Office settings preventing the automatic implementation of Active X controls are in place.
- Consider implementing the registry fix suggested by Microsoft.
- Ensure admin rights programs are in place that restrict and monitor administrative access.
- Be on the lookout for further announcements from Microsoft regarding this vulnerability. Ensure patches are applied when available.
How we help
ACA Aponix® offers the following solutions that can help organizations enhance their cybersecurity against ransomware and other attacks.
- Risk assessments and regulatory compliance testing services, including Microsoft® Office 365® security assessments
- Threat intelligence, phishing testing and monitoring
- Operational resilience and governance
Download our Aponix Protect™ cybersecurity solution brochure.
If you have any questions, please reach out to your ACA Aponix consultant or contact us here.