Unpatched Office attack reminds us: Don’t click on risky docs
An attacker will have to convince you to click on the document as well as turn off Protected View.
Microsoft is warning of a new Office vulnerability that is probably avoidable with smart Internet practices—namely, don’t open untrusted documents.
Researcher EXPMON reported a new vulnerability for Microsoft Office, the company said ( go.pcworld.com/expm). Microsoft confirmed the vulnerability in a security update ( go.pcworld.com/mcon). Microsoft has yet to issue a patch for it, although the company said it would
“take the appropriate action to help protect our customers.”
The vulnerability takes advantage of the MSHTML rendering engine used by
Internet Explorer, a browser that Microsoft has deprecated. (IE will still run within Edge, but inside the browser’s sandbox, which protects your PC.) So instead the attackers are targeting the IE engine running within Microsoft 365 or Office documents. If a malicious Office document is sent you via email, and you click on it or enable it, the vulnerability could be used to give an attacker control of your PC.
“An attacker could craft a malicious Activex control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft said. “The attacker would then have to convince the user to open the malicious document.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Microsoft already has two layers of protection that will secure your PC against this threat. First, you first have to click on the malicious document to open it. Second, if your PC is configured— as it should be—to first open a document in Protected View (which prompts a ”Be careful, this file originated” warning and confirms that you want to edit it), that vulnerability won’t manifest. It’s only if you click on the document and then turn off Protected View or Application Guard for Office that your PC could be at risk. So don’t do that, OK?
Finally, Microsoft’s last sentence drives home a key point—you might not be impacted as much if you’re running as a standard user rather than with full admin rights. There’s a reason we devoted a whole section to that very topic in our roundup of five easy tasks that can supercharge your security ( go.pcworld.com/5tks).