Threat Watch

Microsoft, CISA Urge Use of Mitigations and Workarounds for Office Document Vulnerability

Microsoft identified attacks targeting a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Active attacks make use of a Microsoft Word document that refers to a remote template file that includes malicious content to download a .cpl file and ultimately execute a DLL file that uses a .inf file extension. Following the announcement, The Cybersecurity and Infrastructure Security Agency (CISA) also encouraged users and organizations to review Microsoft’s mitigations and workarounds to address CVE-2021-40444. The Microsoft stated anyone who uses Defender Antivirus and Defender for Endpoint and enables automatic updates is safe from the vulnerability. The alerts in Microsoft Defender will show up as “Suspicious Cpl File Execution.”

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Threat hunters should consider searching for Microsoft Word running Control.exe as a child process as an indication of this attack. Microsoft added that Microsoft Office opens documents from the internet in Protected View or Application Guard for Office by default, both of which prevent the current attack. Microsoft also suggested disabling the installation of all ActiveX controls in Internet Explorer. View the full release with mitigations and workarounds here. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

https://www.zdnet.com/article/microsoft-cisa-urge-use-of-mitigations-and-workarounds-for-office-document-vulnerability/

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support