Users can grant hackers permission to access the system through the Active X control contained in these documents. The Federal Agency for Cybersecurity (CISA) and Microsoft have pointed this out.
–
The current bug applies to versions of Windows 2008 to 2019 and Windows 8.1 to Windows 10. The MSHTML software component is most often associated with Internet Explorer, but is also used by other applications such as Microsoft Outlook, Skype, Visual Studio and others.
–
For a successful attack, this software only needs to allow the Active X control to run, which the user must confirm. In this way, hackers gain permission to the operating system and can install malicious software on it.
–
“Malicious MS Office files are a popular tactic among cybercriminals and state-sponsored hackers. A security vulnerability in MSHTML can make it easier to exploit the system with common tricks to disconnect users from security on their computers. “The message may look like official mail from a business partner or the company’s management,” said Martin Hořický, a cybersecurity expert from the BDO consulting firm.
–
Microsoft is still investigating the effects of this bug, and experts say it may affect more Windows components than just Microsoft Office documents. Some MSHTML software is ubiquitous in this operating system.
–
On Thursday, Microsoft warned users of its Azure cloud service that hackers could exploit security vulnerabilities to gain access to their data. However, he added that he had already removed the weakness and that he had no evidence of its misuse by hackers.
—
