New ActiveX Windows zero-day exploited: Microsoft alert

By

Take care opening Office docs until patch arrives next week.

A new zero-day vulnerability in the Trident MSHTML rendering engine for Windows is currently being exploited in targeted attacks, Microsoft has warned.

New ActiveX Windows zero-day exploited: Microsoft alert

The company has received and confirmed reports that an attacker can write an ActiveX control, a now deprecated software framework that has been plagued by security issues, which can be deployed through malicious Microsoft Office documents.

Users would then be asked to open a Microsoft Office document that hosts the browser rendering engine to execute the malicious code.

Microsoft rates the vulnerability as 8.8 out of 10 on the Common Vulnerabilities Scoring System version 3.0, and said the attack complexity is low with proof-of-concept code being available.

The success of the attack depends on the privileges of the logged-in user being tricked into opening the malicious Office documents, with administrators being most at risk.

Microsoft's Protected View or Application Guard, which are used when opening Office documents from the internet, both prevent the attack.

Users who have auto-updated the Microsoft Defender Antivirus and Defender for Endpoints anti-malware software are also protected.

It is also possible to disable ActiveX controls on individual systems, to foil the attack.

At this stage, it is not known who is behind the attacks or what the malicious payload is.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices

Victoria's first government tech chief steps down

Victoria's first government tech chief steps down

Log In

  |  Forgot your password?