Security analysts are once again warning of another zero-day vulnerability in Microsoft products after reports emerged of active exploitation of CVE-2021-40444, a remote code execution (RCE) vulnerability in the MSHTML component of Internet Explorer (IE) on Windows 10 and several Windows Server versions.
The zero-day was uncovered by researchers from EXPMON and Mandiant, and can be exploited by crafting a malicious ActiveX control to be used by a Microsoft Office 365 document that hosts MSHTML (aka Trident), the rendering engine used by IE and succeeded by EdgeHTML in the newer Edge browser. There is currently no available patch.