Quote:Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.
Microsoft has not revealed much about the MSHTML bug, tracked as CVE-2021-40444, beyond that it is “aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” according to an advisory released Tuesday.
However, it’s serious enough that the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory of its own alerting users and administrators to the vulnerability and recommending that they use the mitigations and workarounds Microsoft recommends.
The vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft.
The attacker would then have to convince the user to open the malicious document for an attack to be successful, the company said. Moreover, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, according to the advisory.
Read more: Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
