Unpatched Office attack reminds us: Don't click every doc you're sent

An attacker will have to convince you to click on the document as well as turn off Protected View.

Microsoft is warning of a new Office vulnerability that can probably be avoided by continuing to use smart Internet practices. Namely, don’t open untrusted documents.

Researcher EXPMON reported a new vulnerability to Microsoft on Sunday, the company said, and Microsoft confirmed the vulnerability in a security update on Monday.  Microsoft has yet to issue a patch, though Microsoft said it will “take the appropriate action to help protect our customers.”

The vulnerability takes advantage of the MSHTML rendering engine used by Internet Explorer, a browser that Microsoft has deprecated. (IE will still run within Edge, but within the browser’s sandbox, protecting your PC.) So instead, the attackers are targeting the IE engine running within Microsoft 365 or Office documents. If a malicious Office document is sent you via email, then clicked upon and enabled, the vulnerability could be used to give an attacker control of your PC.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft said. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Microsoft already has two layers of protection that will secure your PC against this threat. First, you first have to click on the malicious document to open it. Second, if your PC is configured (as it should be) to first open a document in Protected View (which prompts a ”Be careful, this file originated...” warning, and confirms you want to edit it), that vulnerability won’t manifest. It’s only if you click on the document and then turn off Protected View or Application Guard for Office that your PC could be at risk. So don’t do that, OK?

Finally, Microsoft’s last sentence drives home a key point—you might not be impacted as much if you’re running as a standard user rather than with full admin rights. There’s a reason we devoted a whole section to that very topic in our roundup of 5 easy tasks that can supercharge your security.