Microsoft rates the vulnerability as 8.8 out of 10 on the Common Vulnerabilities Scoring System version 3.0, and said the attack complexity is low with proof-of-concept code being available.
Users would then be asked to open a Microsoft Office document that hosts the browser rendering engine to execute the malicious code.
The company has received and confirmed reports that an attacker can write an ActiveX control, a now deprecated software framework that has been plagued by security issues, which can be deployed through malicious Microsoft Office documents. A new zero-day vulnerability in the Trident MSHTML rendering engine for Windows is currently being exploited in targeted attacks, Microsoft has warned.
