Microsoft gives mitigation advice for Follina vulnerability exploitable via Office apps | #microsoft | #hacking | #cybersecurity

Credit: Dreamstime

Attackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in a Windows component called the Microsoft Support Diagnostic Tool (MSDT) through weaponised Word documents.

Microsoft has responded with mitigation advice that can be used to block the attacks until a permanent patch is released.

An exploit for the vulnerability, now tracked as CVE-2022-30190, was found in the wild by an independent security research team dubbed nao_sec, which spotted a malicious Word document uploaded to VirusTotal from an IP in Belarus. However, more malicious samples dating from April have also been found, suggesting the vulnerability has been exploited for over a month.

A Word exploit, but not a Word flaw

Because the original exploit came in the form of a Word document, there were initial rumours that the vulnerability was located in Word or the larger Office suite. 

However, security researcher Kevin Beaumont, who dubbed the flaw Follina before it had a CVE identifier, analysed the exploit and concluded that it leveraged the Word remote template feature to retrieve a HTML file from a remote server and then used the ms-msdt URL scheme to load malicious code and a PowerShell script.

“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,” Beaumont said in a blog post. “Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”

Beaumont did some initial testing and the exploit seemed to fail on the Insider and Current version of Office but worked on others. However, more researchers later tested the exploit confirming it on fully up-to-date versions of Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.

The issue is actually bigger because the vulnerability is located in MSDT, which can be called from different applications, including Office, but not only via the MSDT URL protocol scheme ms-msdt. In fact, according to Beaumont, it also works directly in Windows via LNK files as well as in Outlook.

Microsoft responds with Follina mitigation advice

Original Source link

Leave a Reply

Your email address will not be published.

41 + = forty seven