PCWorld (USA)

Unpatched Office attack reminds us: Don’t click on risky docs

An attacker will have to convince you to click on the document as well as turn off Protected View.

- BY MARK HACHMAN

Microsoft is warning of a new Office vulnerabil­ity that is probably avoidable with smart Internet practices—namely, don’t open untrusted documents.

Researcher EXPMON reported a new vulnerabil­ity for Microsoft Office, the company said ( go.pcworld.com/expm). Microsoft confirmed the vulnerabil­ity in a security update ( go.pcworld.com/mcon). Microsoft has yet to issue a patch for it, although the company said it would

“take the appropriat­e action to help protect our customers.”

The vulnerabil­ity takes advantage of the MSHTML rendering engine used by

Internet Explorer, a browser that Microsoft has deprecated. (IE will still run within Edge, but inside the browser’s sandbox, which protects your PC.) So instead the attackers are targeting the IE engine running within Microsoft 365 or Office documents. If a malicious Office document is sent you via email, and you click on it or enable it, the vulnerabil­ity could be used to give an attacker control of your PC.

“An attacker could craft a malicious Activex control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft said. “The attacker would then have to convince the user to open the malicious document.

Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administra­tive user rights.”

Microsoft already has two layers of protection that will secure your PC against this threat. First, you first have to click on the malicious document to open it. Second, if your PC is configured— as it should be—to first open a document in Protected View (which prompts a ”Be careful, this file originated” warning and confirms that you want to edit it), that vulnerabil­ity won’t manifest. It’s only if you click on the document and then turn off Protected View or Applicatio­n Guard for Office that your PC could be at risk. So don’t do that, OK?

Finally, Microsoft’s last sentence drives home a key point—you might not be impacted as much if you’re running as a standard user rather than with full admin rights. There’s a reason we devoted a whole section to that very topic in our roundup of five easy tasks that can supercharg­e your security ( go.pcworld.com/5tks).

 ?? ??
 ?? ?? Microsoft confirmed the vulnerabil­ity in a security update.
Microsoft confirmed the vulnerabil­ity in a security update.

Newspapers in English

Newspapers from United States