Zero-Day ‘Follina’ Bug Lays Older Microsoft Office Versions Open to Attack

by | May 31, 2022 | News


Premium Content

patreon

Subscribe to Patreon to watch this episode.


 

Reading Time: 2 Minutes

A zero-day vulnerability in Microsoft Office allows adversaries to run malicious code on targeted systems via a flaw a remote Word template feature.

 

 

 

 

The warning comes from Japanese security vendor Nao Sec, which tweeted a warning about the zero day over the weekend.

Noted security researcher Kevin Beaumont dubbed the vulnerability “Follina”, explaining the zero day code references the Italy-based area code of Follina – 0438.

Beaumont said the flaw is abusing the remote template feature in Microsoft Word and is not dependent on a typical macro-based exploit path, common within Office-based attacks. According to Nao Sec, a live sample of the bug was found in a Word document template and  links to an internet protocol (IP) address in the Republic of Belarus.

It’s unclear if the zero-day bug has been actively leveraged by adversaries. There are unconfirmed reports that proof-of-concept code exists and more recent versions of Office are vulnerable to attack. Meanwhile, security researchers say  users can follow Microsoft Attack Surface Reduction measures to mitigate risk, in lieu of a patch.

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

Working of Follina 

 

Nao Sec researchers explain the path to infection includes the malicious template loading an exploit via a hypertext markup language (HTML) file from a remote server.

 

 

The loaded HTML uses the “ms-msdt” MSProtocol URI scheme to load and execute a snippet of PowerShell code.

“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” as reported by Nao Sec.

The MSDT stands for the Microsoft Support Diagnostic Tool and collects information and reports to Microsoft Support. This troubleshooting wizard will analyze the gathered info and attempt to find a resolution to hiccups experienced by the user.

Beaumont found that the flaw allows the code to run via MSDT, “even if macros are disabled”.

 

 
 
 

See Also: Malicious PyPI package opens backdoors on Windows, Linux, and Macs

 

 

 

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” further explained by Beaumont.

Beaumont confirmed that the exploit is currently affecting the Older versions of Microsoft Office 2013 and 2016 and the endpoint detection “missed execution” of malware.

Another security researcher Didier Stevens said he exploited the Follina bug on a fully patched version of Office 2021, and John Hammond a cybersecurity researcher tweeted the working proof of Follina.

 

 

See Also: Offensive Security Tool: Arjun

 

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

Microsoft users with E5 licenses can detect the exploit by appending the endpoint query to Defender. Additionally, Warren suggests using the Attack Surface Reduction (ASR) rules to block the office applications from creating child processes.

 

 

See Also: The Difference between Vulnerability Assessment and Pentesting

 

Source: threatpost.com

Source Link

 

 

 


 

 

Merch

Share This