Updated Infosec researchers have identified a zero-day code execution vulnerability in Microsoft’s ubiquitous Office software.
Called “Follina”, the vulnerability has been floating around for some time (cybersecurity researcher Kevin Beaumont traced it back to a report made to Microsoft on April 12) and uses Office functionality to recover an HTML file that in turn makes use of Microsoft support. Diagnostic Tool (MSDT) to run some code.
This is a good find, it looks like an EDR toolkit from the initial tests. (Possibly more surprises that Word didn’t block).
– Kevin Beaumont (@GossiTheDog) May 29, 2022
Worse, it will work in Microsoft Word even when macros are turned off.
The vulnerability was posted on Twitter late last week by the @nao_sec account, which pointed to the use of ms-msdt to run PowerShell code.
When it comes to mitigation, there isn’t much. Huntress’s post on the subject suggested that users using Microsoft Defender’s Surface Reduction (ASR) rules might set the “Block all office applications to create side processes” option to ” lock mode “.
An alternative suggested by vulnerability analyst Will Dormann would be to remove the file-type association for ms-msdt to prevent Office from launching the application.
Dormann told The Register, “Once you see the UI, it’s too late. So it really doesn’t matter.”
Then again, seeing the UI is not safe. said Beaumont The Register: “The first wild sample I saw hides the UI.”
Alternatively, security teams should warn users that they are aware of the attachments. However, an attacker using a rich text format file in conjunction with the Windows preview panel could theoretically skip the step for users to click on the file.
Although the initial attack only executes code at the level of the user account that opened the malicious document, this access opens the door to more attacks that could increase privileges. It’s also worth noting that the current exploit appears in the user interface of the Microsoft Support Diagnostic Tool, though it’s too easy to imagine a user clicking on it impatiently.
Beaumont and other researchers have published detection rules for Defender and the like, but until the vulnerability is fixed, surveillance will be needed.
“Detection,” Beaumont wrote in a post on the subject, “will probably not be great, as Word loads malicious code from a remote template (web server), so nothing in the Word document is really malicious. “.
Interestingly, although Microsoft has not yet publicly acknowledged the issue, Beaumont noted that it appears to have been fixed in the latest Insider and Current versions of Office. However, he reported that he had found the hole in Office 2013 and 2016. Other users said they could exploit the vulnerability in a fully updated version of Office 2019, while Didier Stevens showed the exploit running in Office 2021.
As Beaumont said, “Historically, when there are easy ways to run code directly from Office, people use it to do bad things. This breaks the limit of having macros disabled.”
The Register has asked Microsoft to comment. That first April 12 report was closed because it was not a security issue. “To be clear,” said Beaumont, “running msdt with macros disabled is a problem.” ®
Updated to add on May 31, 2022:
A Microsoft spokesman has been contacted to say it now treats the vulnerability as a security vulnerability: “To help protect customers, we’ve posted CVE-2022-30190 and additional guidance here.”