More critical Microsoft vulnerabilities announced

Published 9/16/21, 9:00am

Businesses are being urged to mitigate a new critical vulnerability affecting Windows Server 2008 through 2019 and Windows 8.1 through 10. Attacks are being targeted against Office 365, Office 2019, and Windows 10. The zero-day flaw (CVE-2021-40444) is a remote code execution vulnerability located in MSHTML, the browser rendering engine used by MS Office documents. Attacks involve malicious email attachments containing specially designed Microsoft Office documents. The Microsoft Advisory states that “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

In another announcement last week, Microsoft said it had remediated a vulnerability in its Azure Container Instances (ACI). Security researchers are referring to the potential threat as a ‘cross-account takeover bug.’ The vulnerability could allow attackers to execute malicious commands on another user’s’ containers and steal information. While it found no indication of an attack, Microsoft notified those customers at risk for containers deployed before August 31, assuring them that the vulnerability is fixed, and an investigation found no unauthorized access. For those that did not receive a notification, no action is required. 

Next Steps

Mitigations and workaround for Microsoft zero-day flaw (CVE-2021-40444) can be found in the Microsoft Advisory. 

For the Azure container concern, Microsoft recommends as a precautionary measure that Microsoft customers that were notified of the issue revoke any privileged credentials that were deployed to the platform before August 31. Additional information can be found on the Microsoft Security Response Center.