“Follina” is a new zero-day flaw in Office: how to protect yourself
“Follina” is a new zero-day flaw in Office
A zero-day vulnerability known as "Follina" has been identified that affects Microsoft Office and allows arbitrary code execution via the Microsoft Technical Support Diagnostic Tool (MSDT).The flaw is reported by nao_sec on Twitter, via a post reporting the presence of a malicious document sent to VirusTotal from Belarus and using the external Word link to load an HTML file, followed by the use of the md-msdt scheme to execute code on PowerShell.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
- nao_sec (@nao_sec) May 27, 2022
Security researcher Kevin Beaumont found that the flaw had already been reported to Microsoft on April 12, but the company had closed the report not recognizing the issue as a security issue.
And if it is true that at the moment the exploit causes (but not always) the opening of a pop-up window of the Microsoft Technical Support Diagnostic Tool, the hypothesis that an average user closes the window without thinking about it too much is more than plausible. The problem, in any case, is that Word loads malicious code from a remote model via web server, consequently nothing inside the Word document triggers the anti-virus detection systems and / or security suites in general.
To protect against the possible threat, the researchers suggest two methods: the first involves using Microsoft Defender's attack surface reduction (ASR) rules, setting the option “Block Office applications to create child processes “. Alternatively, analyst Will Dormann recommends removing the file type association for ms-msdt, as shared via a Twitter post.
And Microsoft has just intervened on the matter, publishing a dedicated guide to the vulnerability known as CVE-2022-30190. The company recommends disabling the MSDT URL protocol as a temporary solution to the problem, at least until some official patch arrives. Here's how:
Run Command Prompt as Administrator. You can type “CMD” on the taskbar and right click on cmd.exe to select “Run as Administrator”. Back up the registry key with the reg export command HKEY_CLASSES_ROOT \ ms-msdt filename where "filename" is a filename you can choose at your discretion Run the reg delete command HKEY_CLASSES_ROOT \ ms-msdt / f
Run the command prompt as Administrator. Retrieve the registry key using the reg import filename command where "filename" is the name of the file you selected.
Microsoft Office zero-day flaw 'Follina' uncovered by researchers
Cybersecurity researchers have uncovered a new zero-day vulnerability in Microsoft Office.
The flaw allows attackers to execute arbitrary code via the Microsoft Support Diagnostic Tool (MSDT). All it takes to exploit the vulnerability is for a victim to open an infected Word document.
The flaw, dubbed 'Follina' by the infosec community, was discovered when a Japanese security research group known as nao_sec found a Word document (05-2022-0438.doc) that was submitted to VirusTotal from a Belarusian IP address.
The document makes use of the Word remote template feature in order to retrieve an HTML file from a remote webserver. This HTML file then uses the ms-msdt MSProtocol URI scheme to load some code and run it in PowerShell.
MSDT is a utility that is used to troubleshoot and gather diagnostic data for the purpose of analysis and resolution of an issue by support experts.
Security expert Kevin Beaumont claimed in a post that he observed Microsoft Word executing the code via MSDT even when macros were turned off.
He added that the Protected View function in Microsoft Office, which is supposed to alert users of files originating from potentially unsafe places, does warn users of the likelihood of a malicious document. However, this warning can be easily bypassed by converting the document to a Rich Text Format (RTF) file.
The obfuscated code may then execute 'without even opening the document via the preview tab in Explorer.'
Beaumont refers to the flaw as 'Follina' because the sample that was found on the file has the number 0438, which is the area code for Follina in Italy.
Huntress Labs, a cybersecurity firm, conducted an independent investigation of the attack flow, and discovered that the HTML file ('RDF842l.html') that triggers the exploit comes from a domain named xmlformats[.]com that is no longer accessible.
'A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,' Huntress Labs' John Hammond said.
It is reported that multiple versions of Microsoft Office, including Office 2013, Office 2016 and Office 2021, are vulnerable.
Richard Warren of the NCC Group was able to successfully demonstrate the vulnerability in Office Professional Plus with the April 2022 patches installed, while it was operating on an up-to-date Windows 11 computer with the preview pane turned on.
Researcher Didier Stevens showed that the attack is functional on a patched version of Microsoft Office 2021.
It is not known whether the zero-day flaw has been actively exploited by malicious parties.
Huntress recommends monitoring the processes running on the system in order to identify an attack via this vector. This is due to the fact that the Follina payload will generate a child process of 'msdt.exe' running underneath the malicious Microsoft Office parent.
On Monday, Microsoft disclosed the CVE identification for this vulnerability, which is CVE-2022-30190. The company also released a Security Update and an article with guidance.
However, Microsoft is yet to release a patch for the bug.
According to the information provided by the firm, an adversary who successfully exploits this vulnerability can execute arbitrary code with the privileges of the calling application.
'The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights,' Microsoft said.
As a mitigating measure, Microsoft suggests disabling the MSDT URL protocol.
'Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.'