A zero day flaw has been detected by several security researchers and allows attackers to execute code remotely using a document Microsoft Office.
This vulnerability, dubbed Follina, is particularly critical because it can be exploited without macros being enabled.
A critical flaw spotted in April
Attacks that use Office document features to execute code on their victim’s computer are not uncommon. However, until then, a simple solution existed to avoid them: disable macros. But this fix is ineffective when talking about the vulnerability recently discovered by security researchers.
This flaw, now nicknamed “Follina”, had already been spotted on April 12 and reported to Microsoft. However, its existence has only made the rounds in the computer security world for a few days, since user @nao_sec reported on Twitter that he discovered a malicious Word document submitted to VirusTotal from Belarus. Once opened, this document retrieves an HTML file from a remote server that contains the code to be executed. A PowerShell command line is then run by Word through MSDT (Microsoft Support Diagnostic Tool), a tool that is normally used to collect information to send to Microsoft Support to help teams troubleshoot issues on their computer.
This flaw is particularly critical for several reasons. The first: it can be exploited even if macros are disabled. The second is that if Protected Mode does activate to alert users that the document is potentially malicious, there is a way around that. By passing the file in RTF format, the exploit becomes zero-click, and the malicious code is executed without the file needing to be opened. Selecting and previewing it in Windows File Explorer is enough. And finally, Kevin Beaumont, a security researcher, warns that detection by security software is likely to be weak, since the Word document itself does not contain malicious code, only a reference that allows it to download it from a remote server.
A response from Microsoft considered insufficient
Since then, many researchers have reproduced the exploit, and proofs of concept abound on the Internet. When the flaw was first brought to their attention in April, Microsoft said it did not represent a security issue. Faced with the media coverage of this, the company changed its mind and has now assigned a CVE. Follina is now designated as CVE-2022-30190 and is a remote code execution vulnerability in MSDT.
” A remote code execution vulnerability exists when MSDT is invoked using the URL protocol from an application such as Word. An attacker who successfully exploited this vulnerability can execute arbitrary code with the privileges of the calling application. The attacker can then install programs, view, modify or delete data, or create new accounts in the context authorized by the user’s rights “says the company in its blog post. In other words, once the code is executed, the attacker obtains the same rights on the device as the user who opened or downloaded the file and can, if necessary, use other attacks to elevate their privileges.
In its blog post, Microsoft invites users to disable MSDT’s URL protocol to prevent exploitation of the flaw. However, as noted by Kevin Beaumont, the company still refuses to consider the vulnerability a zero-day, and says Protected Mode helps thwart attacks, even though it has been proven to be insufficient. . If, in April, the flaw was indeed actively exploited, there have been no new signs of activity since then from the group behind the initial attack.
See more :
Microsoft fixes 74 vulnerabilities, including 7 critical, affecting all versions of Windows
Sources: The Register, Microsoft, Kevin Beaumont
5