Microsoft Acknowledges a New Office File-Based Attack

Posted on September 8, 2021 by Paul Thurrott in Office with 13 Comments

Google Explains Why Chrome OS is More Secure

Microsoft has acknowledged a newly discovered vulnerability that could allow hackers to attack users with Microsoft Office files.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft explains. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Yes, you read that right: 20 years later, and we’re still dealing with ActiveX-based vulnerabilities. But the good news is that Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection of and protection from the known vulnerability, according to Microsoft.

It’s likely that Microsoft will issue a fix for this problem next Tuesday, but in the meantime, all you need to do is keep your antivirus solution up to date. The firm also offers some workarounds in its security advisory.

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (13)

13 responses to “Microsoft Acknowledges a New Office File-Based Attack”

  1. navarac

    Oh dear, oh dear - not a week goes by ..........

  2. hrlngrv

    | operate with administrative user rights

    IOW, pretty much HUNDREDS OF MILLIONS of 1st accounts created on then-new PCs.

    I understand MSFT wants to make Windows as simple as possible for BILLIONS of users. Sadly, there's a trade-off between simplicity and security, and it just doesn't seem MSFT is anywhere near as committed to security as simplicity. Rational, in a sense. Why annoy hundreds of millions of users with a better if less convenient security model when the nasty things which could occur from lax security would likely affect only millions of users.

    At least there's Windows Defender, reactive measures to make up for an absence of proactive measures.

    • bluvg

      "I don't run a computer often, but when I do, I run as root."

    • wright_is

      The first thing I do, after setting up a new PC is create a separate admin user, delete the "temp" account and add my account. Or if it is a home machine, remove admin rights from my account and give them to a dedicated admin account. But how many people do that? How many even know how? How many even know that that is necessary?

      At work, nobody has admin rights. Even we, as the IT department don't have admin rights on our PCs. We have to log in with an extra administrator account or enter it into UAC requests, if we need to carry out admin tasks. On my PC, I probably need to do that once or twice a month, when the updates from Lenovo and Intel need to be installed.

      I even gave up on playing GTA V, because it nagged for the admin password every time it launched, on my home PC. Well, I gave up on Windows as well last week and installed Linux, but that is another story.

  3. rmlounsbury

    Microsoft's banner run of major security issues marches on. It's been a rough year for all their products and security.

  4. simont

    Why oh Why would you want ActiveX in a document anyway?

    • rm

      Macros in Excel use ActiveX I think.

      • hrlngrv

        One can embed ActiveX controls in any Office program's documents, but I've never seen a practical example for doing so outside of Excel. There are also Form controls, but they interface differently with VBA. Userforms (aka dialogs) can use either ActiveX or Form controls. Sometimes ActiveX controls embedded in worksheet cells are more flexible than Form controls.

      • wright_is

        They use COM, not ActiveX.

  5. proftheory

    So I'll be safe if I keep using LibreOffice?

    • anoldamigauser

      Security by obscurity?

      • zeratul456

        I know that security by obscurity is frowned upon, but if it works, why the heck not?

        There's also HardenTools which hardens Office 365 and disables most of the the insecure stuff.