Infosec researchers have identified a zero-day code execution vulnerability in Microsoft’s ubiquitous Office software.
Dubbed “Follina”, the vulnerability has been floating around for a while (cybersecurity researcher Kevin Beaumont traced it back to a report made to Microsoft on April 12) and uses Office functionality to retrieve an HTML file which in turn makes use of the Microsoft Support Diagnostic Tool (MSDT) to run some code.
This is a nice find, looks like an EDR tooling gap from initial tests. (Possibly more, surprises Word didn’t block this). https://t.co/jzPzkOskGg
—Kevin Beaumont (@GossiTheDog) May 29, 2022
Worse, it will work in Microsoft Word even when macros are disabled.
The vulnerability was flagged up on Twitter at the end of last week by the @nao_sec accountwhich noted the use of ms-msdt to execute PowerShell code.
As for mitigation, there isn’t much. The Huntress post on the matter suggested users utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules could put the “Block all Office Applications from creating child processes” option into “Block mode.”
An alternative suggested by vulnerability analyst Will Dormann would be to remove the file type association for ms-msdt to stop Office firing up the app.
Dormann told The Register: “Once you see the UI, it’s too late. So it doesn’t really matter.”
Then again, actually seeing the user interface is no sure thing. Beaumont told The Register: “The first in the wild sample I saw hides the UI.”
Alternatively, security teams should warn users to be aware of attachments. However, an attacker using a Rich Text Format file coupled with Windows’ Preview Pane, could theoretically skip the step of users having to click on the file at all.
While the initial attack only runs code at the level of the user account that opened the malicious document, that access opens the door for more attacks that could escalate privilege. It’s also worth pointing out that the current exploit pops up the user interface for the Microsoft Support Diagnostic Tool, although it is all too easy to imagine a user impatiently clicking past it.
Beaumont and other researchers have posted detection rules for Defender and the like but until the vulnerability has been patched, vigilance will be needed.
“Detection,” wrote Beaumont in a post on the subject, “is probably not going to be great, as Word loads the malicious code from a remote template (webserver), so nothing in the Word document is actually malicious.”
Interestingly, although Microsoft has yet to publicly acknowledge the issue, Beaumont noted that it appeared to have been fixed in the very latest Insider and Current versions of Office. However, he reported finding the hole in Office 2013 and 2016. Other users said they were able to exploit the vulnerability on a fully updated version of Office 2019, while Didier Stevens showed the exploit working in Office 2021.
As Beaumont said: “Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things. This breaks the boundary of having macros disabled.”
The Register has asked Microsoft to comment. That first report on April 12 was closed as not being a security issue. “For the record,” noted Beaumont, “msdt executing with macros disabled is an issue.” ®