BACKGROUND:
Microsoft has issued an advisory detailing attackers are exploiting a previously unknown vulnerability in Windows 10 and many Windows Server versions. Microsoft states that it is ‘aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.’
<div class=\"gmail_attr\" dir=\"ltr\">There is always the chance of a zero day attack and Microsoft is turning them up a lot right now, but no one is immune. One of the reasons for this spike in zero days is that Microsoft is among the most ubiquitous business software in the world. If you\’re an attacker and want victims, you go after the biggest footprint. However, the answer isn\’t to use more obscure software. Instead the lesson was made clear with the SolarWinds and Hafnium attacks: deploy software but realise that you are lending the vendor trust. No aspersions on anyone but we trust but verify in security, which means assume that even trusted vendors and software can be compromised. Therefore, get good at limiting damage, detecting when software is abused to do things it shouldn\’t do, and get great at finding that and wrapping it up. Microsoft should by all means do all it can to reduce the incidence of these, but security should assume that any vendor can be compromised and be prepared for that eventuality.</div>
<div>
<p>The best root technology is behavioural telemetry collection and analysis across the organisation, tied into a well-run detection and response programme. The key is to prepare in peacetime, prevent the preventable, detect what gets past and get really good at finding and wrapping up the enemy and, of course, take steps to limit damage when vulnerabilities like these are exploited. If it sounds tough, it is. The discipline of cyber isn\’t about buying a tool and slapping it in a rack. It’s about getting good at continual improvement; so good that you frustrate the opponents early, often, and reliably. This isn\’t about a sprint or even a marathon, but a lifetime of running races every day. That shouldn\’t be depressing or concerning to cyber professionals. On the contrary, when we know the races we have to run, we can focus on getting really good at it and one day beating the attackers soundly enough that they need new jobs.</p>
</div>
<p>Over the US holiday weekend, attackers began targeting a zero-day affecting Microsoft Windows. CVE-2021-40444 is a remote code execution (RCE) vulnerability in MSHTML (also known as Trident), the HTML engine used by Internet Explorer. Attackers can exploit this flaw by sending unsuspecting targets a crafted Microsoft Office document and enticing victims to open the attachment. Microsoft has provided an advisory warning of this vulnerability and active exploitation attempts targeting the flaw. While this remains unpatched, Microsoft states that Protected View or Application Guard for Office prevent the attack from successfully executing. Additionally, a workaround exists which will disable ActiveX controls in Internet Explorer to mitigate the attack surface until a patch is officially available.</p>
<p>Although this attack does require user interaction, threat actors are likely to target victim organizations with tailored emails or attempt to exploit current news events for a higher success rate.</p>