How can we help?
Microsoft is tracking targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.
If an attacker manages to convince a user to open a malicious document, they may be able to execute commands at the privilege level of the user.
Up-to-date Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.
Windows Server 2022
Windows Server 2019
Windows Server 2016
Windows Server 2012
Windows Server 2008
Containment, Mitigations & Remediations
The exploit runs with the privileges of the compromised user. Therefore users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Account separation and principle of least privilege are user account best practices which would help mitigate the impact of this exploit.
By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack. A level of user awareness not to enable active content, or disable protective mechanisms is advised.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protection for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments.
The following registry settings will disable all the installation of ActiveX controles in Internet Explorer. These can also be deployed via Group Policy Object (GPO), however alternatives may be required for other browsers:
Windows Registry Editor Version 5.00
Once applied a reboot of the system is advised.
This workaround may prevent additional, legitimate, ActiveX content from functioning correctly.
Indicators of Compromise
There are no known IoC’s at this time.
These are targeted attacks for which Proof of Concept (PoC) code is available. It is therefore likely that attacks will become less targeted as other groups and individuals try to leverage the exploit.
In order for the exploit to work the attacker(s) have to convince the user to open the file. These types of mechanisms are typically associated with phishing and spearphishing where the document is either directly attached or linked to a shared file on an internet hosted platform.