Updated on September 14, 2021, a fix for the flaw was made as part of the September Patch Tuesday Update [Earlier this week, Microsoft warned of a new zero-day vulnerability that allows attackers to take over any Windows PC with a booby-trapped Office 365 file

In Microsoft's security advisory for the flaw, cataloged as CVE-2021-40444, users are warned that when opening files downloaded from the Internet, Word, Excel, and PowerPoint display protected views of warning and should avoid clicking the "Enable Editing" button for such files, it states

However, this problem is actually more serious and difficult to defend against Nor is Office necessary for this exploit to work As CERT/CC vulnerability analyst Will Dorman indicated yesterday (September 9) on Twitter, simply previewing a booby-trapped Rich Text Format (RTF) in File Explorer is enough to trigger the exploit

The exploit is not a simple one, but it is a very powerful one

Although the actual attack mechanism of this exploit has not been disclosed, several security researchers have replicated this exploit and it has been actively used in attacks that appear to target primarily the United States

Microsoft may patch this flaw in next Tuesday's monthly update, but until then it is unclear; Windows 7, 81, 10, and 11 are vulnerable, as are all versions of Microsoft Office

For now, home Windows users can minimize their exposure to this attack by disabling Office's outdated Microsoft programming framework ActiveX (we show you how below) and running one of the best anti-virus programs available minimized

While these measures will protect Office and stop known malicious files, attackers can easily create new malicious files or use non-Office files It's like playing whack-a-mole until Microsoft patches it [At least until September 14, the only sure way to protect yourself from these attacks is to completely disable ActiveX in the Windows registry (the "master document" that manages each Windows system) This is a dangerous action unless you really know what you are doing, but I will show you how to do it

This will disable the ability to view web-based content in Word, Excel, PowerPoint, and other Office applications

WARNING: This involves editing the Windows registry, and one misstep could cause your Windows build to go very wrong

As Microsoft itself states in its advisory warning of this exploit, "It can cause serious problems and may require a reinstallation of your operating system Tom's Guide cannot be held responsible if this occurs and you do so at your own risk

In addition, Word, Excel, PowerPoint, and other Office applications will no longer be able to display Web-based content, Internet Explorer will no longer function, and Windows' built-in File Explorer and Other programs may also be affected; Microsoft Edge is not affected

1 make sure you are running Windows under an administrator account

2 Copy and paste all of the following text into a text file:

3 Save the text file to your desktop with the extension "reg" The file name is not important; it is the extension that is important

4 locate the file on the desktop and double-click it

5 A window will pop up warning you that editing the registry can cause bad things to happen, click "yes"

6 Restart the PC

In the mid-1990s, Microsoft created a programming framework called ActiveX to compete with Java and JavaScript, two widely used tools for creating rich web content It incorporated ActiveX into MSHTML, the rendering engine that powers the Internet Explorer web browser

Although neither ActiveX nor Internet Explorer are currently being developed, MSHTML is still the default website rendering engine for Office and many default Windows programs, including Windows 11 [37] [38] MSHTML is still the default website rendering engine for Office and many default Windows programs, including Windows 11 Thus, Word, Excel, PowerPoint, File Explorer, and other common Microsoft applications use MSHTML and ActiveX

Whether or not IE is actually installed on your system, you can assume that each of these programs has a mini Internet Explorer browser built in

"Word uses MSHTML in a mostly unsecured way," security expert Kevin Beaumont wrote on Twitter this past Wednesday (September 8) 'It's a pretty rich attack surface'

In this case, the attacker (believed to be part of the BazarLoader malware campaign) is sending out phishing emails with Word documents attached that may be of interest to recipients A typical example appears to be a threat from a Minneapolis attorney that "you will be sued in small claims court"

While this example may seem like an obvious phishing email to many, attackers can scan your social media posts and create a document suitable for tricking you, as Dormann noted, to avoid protected views RTF files instead of Office files, or embed Word documents in Zip files or other compressed folders to avoid protected views

When an Office or RTF file is opened, the Web-based content in the file launches MSHTML, which uses ActiveX to render the Web content

Attackers have created malicious ActiveX "controls," or programming modules, customized to hijack PCs, but Beaumont said on Twitter that he found a way to trigger the exploit without using new ActiveX controls Beaumont stated on Twitter that he had found a way to trigger the exploit without using a new ActiveX control

Whatever the mechanism, the end result is that the malware using the exploit gains the same privileges on the system as the current user If you are running Windows as a limited user who cannot install, update, or remove applications, or change system settings, then the damage would be limited However, if you are running Windows as an administrator, the malware can really take over your system

The ultimate goal, at least in current malware campaigns, is to install a CobaltStrike backdoor into the system and create a permanent, hidden method of remote control

Microsoft patched the flaw on Tuesday, September 14, in a scheduled round of Patch Tuesday updates The patch is available for Windows 7 (extended support version) through Windows 10 version 21H1