Microsoft warns of new IE zero-day exploited in targeted Office attacks

Microsoft's security team issued an alert earlier today to warn about a new Internet Explorer zero-day that is being abused in real-world attacks.

Tracked as CVE-2021-40444, the vulnerability impacts Microsoft MHTML, also known as Trident, the Internet Explorer browser engine.

While MHTML was primarily used for the now-defunct Internet Explorer browser, the component is also used in Office applications to render web-hosted content inside Word, Excel, or PowerPoint documents.

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said in an advisory today.

"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," the OS maker added.

Microsoft said the attacks and the underlying zero-day were discovered by security researchers from Mandiant and EXPMON.

EXPMON system detected a highly sophisticated #ZERO-DAY ATTACK ITW targeting #Microsoft #Office users! At this moment, since there's no patch, we strongly recommend that Office users be extremely cautious about Office files - DO NOT OPEN if not fully trust the source!

— EXPMON (@EXPMON_) September 7, 2021

Details about the attacks, their targets, and the attacker(s) exploiting this zero-day have not been made public.

Microsoft is expected to release a patch next week, during the company's regular security servicing window, known as Patch Tuesday.

In the meantime, the OS maker says that companies can disable ActiveX rendering to prevent CVE-2021-140444 exploitation. Instructions on how to do so were included with the company's security advisory.