Unpatched Office attack reminds us: Don't click every doc you're sent

An attacker will have to convince you to click on the document as well as turn off Protected View.

Credit: Dreamstime: Dimarik16

Microsoft is warning of a new Office vulnerability that can probably be avoided by continuing to use smart Internet practices. Namely, don’t open untrusted documents.

Researcher EXPMON reported a new vulnerability to Microsoft on Sunday, the company said, and Microsoft confirmed the vulnerability in a security update on Monday.  Microsoft has yet to issue a patch, though Microsoft said it will “take the appropriate action to help protect our customers.”

The vulnerability takes advantage of the MSHTML rendering engine used by Internet Explorer, a browser that Microsoft has deprecated. (IE will still run within Edge, but within the browser’s sandbox, protecting your PC.) So instead, the attackers are targeting the IE engine running within Microsoft 365 or Office documents. If a malicious Office document is sent you via email, then clicked upon and enabled, the vulnerability could be used to give an attacker control of your PC.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft said. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Microsoft already has two layers of protection that will secure your PC against this threat. First, you first have to click on the malicious document to open it. Second, if your PC is configured (as it should be) to first open a document in Protected View (which prompts a ”Be careful, this file originated...” warning, and confirms you want to edit it), that vulnerability won’t manifest. It’s only if you click on the document and then turn off Protected View or Application Guard for Office that your PC could be at risk. So don’t do that, OK?

Finally, Microsoft’s last sentence drives home a key point—you might not be impacted as much if you’re running as a standard user rather than with full admin rights. There’s a reason we devoted a whole section to that very topic in our roundup of 5 easy tasks that can supercharge your security.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?