Microsoft Acknowledges a New Office File-Based Attack

Google Explains Why Chrome OS is More Secure

Microsoft has acknowledged a newly discovered vulnerability that could allow hackers to attack users with Microsoft Office files.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft explains. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Yes, you read that right: 20 years later, and we’re still dealing with ActiveX-based vulnerabilities. But the good news is that Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection of and protection from the known vulnerability, according to Microsoft.

It’s likely that Microsoft will issue a fix for this problem next Tuesday, but in the meantime, all you need to do is keep your antivirus solution up to date. The firm also offers some workarounds in its security advisory.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 13 comments

  • navarac

    08 September, 2021 - 12:56 pm

    <p>Oh dear, oh dear – not a week goes by ……….</p>

    • wright_is

      Premium Member
      10 September, 2021 - 7:22 am

      <p>Yeah, I gave up last weekend and installed Linux on my main PC…</p>

  • hrlngrv

    Premium Member
    08 September, 2021 - 1:47 pm

    <p>| <em>operate with administrative user rights</em></p><p><br></p><p>IOW, pretty much HUNDREDS OF MILLIONS of 1st accounts created on then-new PCs.</p><p><br></p><p>I understand MSFT wants to make Windows as simple as possible for BILLIONS of users. Sadly, there’s a trade-off between simplicity and security, and it just doesn’t seem MSFT is anywhere near as committed to security as simplicity. Rational, in a sense. Why annoy hundreds of millions of users with a better if less convenient security model when the nasty things which could occur from lax security would likely affect only millions of users.</p><p><br></p><p>At least there’s Windows Defender, reactive measures to make up for an absence of proactive measures.</p>

    • bluvg

      08 September, 2021 - 3:12 pm

      <p>"I don’t run a computer often, but when I do, I run as root."</p>

    • wright_is

      Premium Member
      10 September, 2021 - 7:28 am

      <p>The first thing I do, after setting up a new PC is create a separate admin user, delete the "temp" account and add my account. Or if it is a home machine, remove admin rights from my account and give them to a dedicated admin account. But how many people do that? How many even know how? How many even know that that is necessary?</p><p><br></p><p>At work, nobody has admin rights. Even we, as the IT department don’t have admin rights on our PCs. We have to log in with an extra administrator account or enter it into UAC requests, if we need to carry out admin tasks. On my PC, I probably need to do that once or twice a month, when the updates from Lenovo and Intel need to be installed.</p><p><br></p><p>I even gave up on playing GTA V, because it nagged for the admin password every time it launched, on my home PC. Well, I gave up on Windows as well last week and installed Linux, but that is another story.</p>

  • rmlounsbury

    Premium Member
    08 September, 2021 - 3:35 pm

    <p>Microsoft’s banner run of major security issues marches on. It’s been a rough year for all their products and security. </p>

  • simont

    Premium Member
    08 September, 2021 - 3:37 pm

    <p>Why oh Why would you want ActiveX in a document anyway?</p>

    • rm

      09 September, 2021 - 7:33 am

      <p>Macros in Excel use ActiveX I think.</p>

      • hrlngrv

        Premium Member
        09 September, 2021 - 4:40 pm

        <p>One can embed ActiveX controls in any Office program’s documents, but I’ve never seen a practical example for doing so outside of Excel. There are also Form controls, but they interface differently with VBA. Userforms (aka dialogs) can use either ActiveX or Form controls. Sometimes ActiveX controls embedded in worksheet cells are more flexible than Form controls.</p>

      • wright_is

        Premium Member
        10 September, 2021 - 7:29 am

        <p>They use COM, not ActiveX.</p>

  • proftheory

    Premium Member
    08 September, 2021 - 3:45 pm

    <p>So I’ll be safe if I keep using LibreOffice?</p><p><br></p>

    • anoldamigauser

      Premium Member
      08 September, 2021 - 5:10 pm

      <p>Security by obscurity?</p>

      • zeratul456

        10 September, 2021 - 4:15 am

        <p>I know that security by obscurity is frowned upon, but if it works, why the heck not?</p><p><br></p><p>There’s also HardenTools which hardens Office 365 and disables most of the the insecure stuff.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC