Microsoft warns of attacks targeting Office documents

Microsoft has raised alarm bells over a new cyberattack that’s actively targeting Windows users by exploiting a security flaw through malicious Office documents. In a security update released on Tuesday, the software giant described its investigation into a remote code execution vulnerability in MSHTML that works through specially crafted Microsoft Office documents.

SEE: Incident response policy (TechRepublic Premium)

“MSHTML is a component used by myriad applications on Windows,” said Jake Williams, co-founder and CTO at incident response firm BreachQuest. “If you’ve ever opened an application that seemingly ‘magically’ knows your proxy settings, that’s likely because it uses MSHTML under the hood.”

By exploiting this flaw, an attacker could devise a malicious ActiveX control used by an Office document that hosts the browser’s rendering engine. The attacker would have to convince the user to open the malicious document, likely sent via email. Users with more limited accounts on their computers could be less vulnerable than those with full administrative privileges.

The exploit affects all current versions of Windows, including Windows 7, 8.1, and 10, as well as Windows Server 2008, 2012, 2016, 2019 and 2022.

No patch is yet available for this exploit. Microsoft said that after completing its current investigation, it may either provide a security update through its monthly release cycle or roll out an out-of-cycle update. In the meantime, Microsoft Defender Antivirus and Microsoft Defender for Endpoint both detect and protect against this vulnerability. Users of either product should make sure they’re up to date.

Further, Microsoft Office by default opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack. Office users should make sure that Protected View is enabled. To do this, click the File menu in any Office application and select Options. In the Options window, go to Trust Center, click the button for Trust Center Settings and then select Protected View.

In lieu of a patch, Microsoft does have a workaround. As described in the security advisory, use a text editor to create a .REG file with the following strings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones1]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones2]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones3]

“1001”=dword:00000003

“1004”=dword:00000003

Save the file with the .reg extension. Double-click it to add it to the existing Registry.

“The good news is that this vulnerability is client-side and requires user interaction,” said Casey Ellis, founder and CTO at cybersecurity platform Bugcrowd. “A patch will be available soon. Unfortunately, that’s the end of the good news.”

Ellis cautioned that the exploit complexity appears quite low, which means that attackers can more readily take advantage of it. The impact is very high. And in its weaponized form, the exploit could be used in different types of attacks, including ransomware. Plus, even when a patch becomes available, many organizations may fail to apply that patch quickly enough.

“The consistent challenge with client-side vulnerabilities like this one is that there are a lot of systems that need to be patched, which means they stay available for exploitation to attackers for quite some time,” Ellis added.

Microsoft Weekly Newsletter

Be your company’s Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets.
Delivered Mondays and Wednesdays

Sign up today

Also see