Microsoft has released a patch for the MSHTML security bug that’s being used with Office documents to infect computers.
The bug is in MSHTML, the browser rendering engine used by Microsoft Office. If someone is tricked into opening a hacked Office document with ActiveX control, they could infect their computer with some virus, ransomware or other nasty. It’s officially called CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability
There’s an increased risk because the infected document can be in the ‘new’ Office document format, most likely .docx. Many of the infected docs have to be in the older .doc .xls etc formats but not this MSHTML problem.
Microsoft moved quickly to patch this fault because criminals are already using it to attack computers.
What to do
Get the September 2021 security updates, available for all Windows versions from Windows 7, 8, 8.1 and 10 plus Server editions. There’s also a Sept 2021 update for Windows 11 (still in beta) which (hopefully) has the patch too.
Updates should happen automatically or go to Settings | Windows Update and force an update. Or the CVE article above has links to individual downloads (scroll to the bottom).
No update to Office is necessary, at least not to patch this particular problem. It’s always a good idea to keep both Windows and Office fully up to date with security fixes.