How Hackers Are Exploiting Microsoft Word Documents to Hack Windows

MakeUseOf

By Rubaiat Hossain

Published Sep 13, 2021

A nasty new exploit means that simply opening a compromised Word document can cause huge damage to your system.

A recently discovered bug in Microsoft's proprietary MSHTML browser engine gives hackers remote code execution in all versions of Windows. Attackers are using specially crafted Word documents to exploit this zero-day bug. Unfortunately, MSHTML is also used by several Microsoft products, including Skype, Visual Studio, and Microsoft Outlook, so the problem is pretty widespread.

As such, let's explore how the exploit works and how to keep yourself safe from it.

How Does the Microsoft Word Zero-Day Exploit Work?

The attack begins when users are tricked into opening a weaponized Word document. This document will contain a specially crafted ActiveX control meant for handling by the MSHTML engine. When loaded successfully, hackers can use this ActiveX control to run remote code on the compromised device.

Microsoft is tracking this bug as CVE-2021-40444 and has assigned it a CVSS score of 8.8. It makes the MSHTML bug a high-impact problem with the potential of causing considerable damage.

How to Mitigate the MSHTML Attack

Users can prevent the MSHTML attack by not opening untrusted Word documents. Even if you accidentally click on such documents, running Office with default configurations will likely keep you safe from this latest Microsoft-related zero-day attack.

By default, Office opens documents downloaded from the internet in either Protected View or Application guard for Office. This feature prevents untrusted files from accessing crucial system resources, so you'll likely be safe.

However, users who operate with admin privileges are at high risk from the MSHTML attack. Since no working patch is available now, we recommend opening Office documents only as a standard user, where Protected View can save you. Microsoft has also said that disabling ActiveX control can prevent this attack.

How to Disable ActiveX Control

To disable ActiveX control, open a text editor and create a file named disable-activex.reg. You can call this file anything as long as the .reg extension is there. Now, paste the following into the file and save it.

        Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

Double click on the file and click on Yes when prompted by Windows. Restart your PC once that's done, and Windows will apply the new configurations.

Beware of Untrusted Word Documents

Microsoft has yet to release official patches for the MSHTML exploit. So, not clicking documents downloaded from the internet is your best bet if you want to stay secure. Luckily, Defender can detect and prevent this attack from compromising your system. So make sure to turn on Microsoft Defender and enable real-time protection.