Microsoft Office Vulnerability Exposes User Data, Including Passwords
A serious security flaw in Microsoft Office has been discovered that could allow attackers to access sensitive information from users' computers, including passwords, certificates, and HTTPS requests. The vulnerability affects multiple versions of Office, including Office 2010, Office 2013, Office 2016, Office 2019, and Office 365 ProPlus.
The vulnerability was reported by security researcher John Page, who found that certain ActiveX controls used by Office applications caused memory leaks of user information and local machine information. ActiveX controls are components that enable interactive features in web pages and applications. However, they can also pose security risks if not properly implemented or configured.
According to Page, the memory leaks occurred when an Office document containing an ActiveX control was opened or closed. The leaked information could include passwords, certificates, HTTPS requests, web server responses, cookies, and other data. Page demonstrated that he could extract the leaked information using a simple Python script.
Page also found that the vulnerability could be exploited remotely by embedding malicious ActiveX controls in web pages or emails. If a user visited such a web page or opened such an email with an Office application, the attacker could access the user's information and local machine information.
Page notified Microsoft of the vulnerability in November 2018, but he said that Microsoft did not provide a patch or a workaround for the issue. He decided to disclose the vulnerability publicly on January 10, 2019, after waiting for more than two months.
Microsoft has not yet issued an official statement or a security advisory regarding the vulnerability. Users are advised to disable ActiveX controls in their Office applications or use alternative software until a fix is available.
How to protect from ActiveX vulnerability
The ActiveX vulnerability in Microsoft Office is not the first one to be discovered and exploited by attackers. In fact, ActiveX has been a source of security risks for many years, as it allows web pages and applications to run arbitrary code on users' computers. While ActiveX can provide useful functionality, it also exposes users to potential malware infections, data theft, and system compromise.
There are several steps that users can take to protect themselves from ActiveX vulnerability and other similar threats. These include:
Applying the latest security patches for Microsoft Office and Windows. Microsoft has released a security update for CVE-2021-40444 that addresses the vulnerability and prevents its exploitation. Users should install this update as soon as possible to protect their systems.
Disabling or restricting ActiveX controls in Internet Explorer and Office applications. Users can configure their Internet Explorer settings to disable ActiveX controls by default, or prompt them before running them. Users can also use the Trust Center settings in Office applications to disable all ActiveX controls without notification, or disable them for documents from untrusted sources.
Using alternative browsers and software that do not support ActiveX. Users can switch to browsers such as Chrome, Firefox, or Edge that do not use ActiveX technology. Users can also use alternative software that does not rely on ActiveX controls for functionality, such as LibreOffice or Google Docs.
Being cautious about opening email attachments and visiting unknown websites. Users should avoid opening email attachments from unknown or suspicious senders, as they may contain malicious Office documents that exploit the ActiveX vulnerability. Users should also be wary of visiting websites that prompt them to install or run ActiveX controls, as they may be malicious or compromised.
By following these best practices, users can reduce their exposure to ActiveX vulnerability and other similar threats that exploit legacy technologies in Microsoft Windows. aa16f39245