[TheRecord] Microsoft patches Office zero-day in today’s Patch Tuesday

Microsoft has released patches today for a zero-day vulnerability in one of the Windows components that was abused in the wild for attacks using weaponized Office documents.

First disclosed last week, when Microsoft warned of the attacks and published basic mitigations, the OS maker has released official fixes as today, part of its monthly Patch Tuesday security updates.

Tracked as CVE-2021-40444, patches have been made available for Windows versions as far back as Windows 7 and Windows Server 2008.

The bug resides in the Microsoft MHTML component, also known as Trident, the old Internet Explorer browser engine. Microsoft said it discovered instances where a threat actor had created malicious Office files that used the MHTML component to load web-based content inside the documents, such as a malicious ActiveX control, which exploited CVE-2021-40444 to run code on the underlying Windows OS.

A successful attack allowed threat actors to gain control over a user’s OS, Microsoft said last week.

While no technical details were revealed last week, security researchers and malware developers quickly figured out what the issue was and published proof-of-concept code to exploit the bug was eventually on both GitHub and underground hacking forums, and the code has already been weaponized and integrated as part of attacks spotted this week.

A campaign with it today targeting Russian telcos…

— alex lanstein (@alex_lanstein) September 13, 2021

Fortunately, today’s Office zero-day patch also comes just in time, as several security researchers discovered last week ways to bypass Microsoft’s temporary mitigation solutions [12], meaning that Windows users were fully exposed to these attacks without any kind of protection.

However, if the patches hold up remains to be seen. Several security researchers have publicly stated that the bug is buried deep enough in core Office behavior that attackers could easily find new ways to abuse this issue, creating another scenario similar to Microsoft’s PrintNightmare never-ending patching conundrum.

The September 2021 Patch Tuesday also fixes 85 other bugs

But besides fixes for CVE-2021, Microsoft has also released other security updates today, with patches for 85 other bugs, 48 of which are Edge/Chromium-related issues.

Of these, the most important appears to be CVE-2021-36968, an elevation of privilege in the Windows DNS service, for which details have been publicly shared on the internet.

“According to Microsoft, it is not being exploited in the wild,” said Allan Liska, threat intelligence analyst at Recorded Future. “It is labelled Important by Microsoft and, interestingly, only impacts Windows 7 and Windows Server 2008.”

Other issues to keep an eye on, and reasons to apply today’s patches as soon as possible, are CVE-2021-36965 and CVE-2021-26435, Liska said.

The post Microsoft patches Office zero-day in today’s Patch Tuesday appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] This stealthy malware hides behind an impossible date

All posts, ZDNet

Linux remote access trojan hides behind the invalid date, February 31. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Hackers selling access to FIFA matchmaking servers and other games after EA attack

All posts, ZDNet

According to a message from attackers, 780 GB were stolen from EA during the hack. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SANS ISC] Shadow IT Makes People More Vulnerable to Phishing, (Wed, Nov 10th)

All posts, Sans-ISC

Shadow IT is a real problem in many organizations. Behind this term, we speak about pieces of hardware or software that are installed by users without the approval of the IT department. In many cases, shadow IT is used because internal IT teams are not able to provide tools in time. Think about a user who […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.