Unpatched Office attack reminds us: Don’t click on risky docs - martinezclinking

Solarseven / Getty Images

Microsoft is admonition of a new Bureau vulnerability that can probably be avoided by continuing to use smart Internet practices. Namely, don't open untrusted documents.

Researcher EXPMON reported a new vulnerability to Microsoft connected Sunday, the company said, and Microsoft confirmed the vulnerability in a security update happening Monday. Microsoft has yet to issue a spot, though Microsoft said it will "contract the suited legal action to help protect our customers."

The exposure takes vantage of the MSHTML rendering engine used by Internet Explorer, a browser that Microsoft has deprecated. (IE will still run inside Edge, but inside the browser's sandbox, protecting your PC.) So alternatively, the attackers are targeting the IE engine running within Microsoft 365 OR Office documents. If a malicious Office document is transmitted you via email, then clicked upon and enabled, the vulnerability could be wont to consecrate an attacker control of your Personal computer.

"An attacker could craft a leering ActiveX control to beryllium misused by a Microsoft Office document that hosts the browser interpretation railway locomotive," Microsoft said. "The attacker would then have to convince the user to open the malicious document. Users whose accounts are organized to have fewer exploiter rights along the system could be inferior impacted than users who operate with administrative user rights."

Microsoft already has 2 layers of protection that leave secure your PC against this scourge. Archetypal, you first have to click on the catty document to open it. Second, if your PC is configured (as it should be) to initiatory surface a document in Protected Sight (which prompts a"Be careful, this file originated…" warning, and confirms you require to edit it), that vulnerability won't manifest. IT's only if you click on the document and then turn off Protected View or Application Defend for Office that your PC could be at hazard. So don't bash that, OK?

Finally, Microsoft's last sentence drives nursing home a key point—you might non represent impacted as practically if you're track as a standard user rather than with full admin rights. There's a reason we dedicated a whole section to that very issue in our roundup of 5 easy tasks that tail end supercharge your security.

Note: When you purchase something after clicking links in our articles, we whitethorn earn a bantam commission. Read our associate radio link policy for more details.

As PCWorld's senior editor, Saint Mark focuses on Microsoft news and chip technology, among other beats. He has erst written for PCMag, BYTE, Slashdot, eWEEK, and ReadWrite.