Microsoft, Mandiant and EXPMON researchers discovered a set of flaws in MSHTML (Internet Explorer’s browser engine) that remote, unauthenticated attackers can use to execute code on a system.
Threat actors are exploiting this zero-day vulnerability in the wild by creating weaponized Office documents to hijack vulnerable Windows systems. Threat actors can use a malicious ActiveX control for an Office document that hosts the browser rendering engine. The attacker would need to persuade a user to open the malicious file, according to Microsoft.
— b0ring (@dnpushme) September 8, 2021
How Bad is This?
The CVE has a severity rating of 8.8 out of 10 and affects Windows Server 2008 through 2019 and Windows 8.1 through 10. EXPON confirmed via Twitter that they reproduced the attack using Office 2019/Office 365 on Windows 10:
We have reproduced the attack on the latest Office 2019 / Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security
Read the article