Microsoft is warning all Windows 10 users that a previously unknown, and therefore unpatched, vulnerability is being exploited by cybercriminals. This is a new zero-day vulnerability and is rated as high (only one notch down from the top - critical) because it could allow an attacker to remotely execute code on a victim computer, and potentially take complete control of it.
Microsoft says it is aware that some cybercriminal organizations are already taking advantage of the CVE-2021-40444 vulnerability and advises all users to be extremely careful until a patch is available.
The vulnerability lies within Internet Explorer, an old web browser that is included in Windows 10 primarily for backwards compatibility, and more specifically its MSHTML rendering engine. But nobody uses Internet Explorer anymore, right? Wrong. Microsoft Office apps like Word, Excel, Outlook, etc., use the MSHTML engine as well, and that's what attackers are aiming at because it is used far and wide.
The attackers have crafted special Office documents that load MSHTML when opened, and those in turn render a specially constructed malicious web page and employ an ActiveX control to download the malware payload. The malware payload could be anything, but usually will include some sort of back-door (so the attackers can get back in later), and eventually some sort of ransomware will be detonated.
As with most malware, users without administrator rights will be less impacted than those with greater privileges, of course.
Opening Microsoft Office documents from untrusted sources has always been risky, in the past mostly due to embedded macros (small programs), and this new vulnerability just exacerbates the situation.