Infosec researchers have identified a zero-day code execution vulnerability in Microsoft’s ubiquitous Office software.
The vulnerability, dubbed “Follina,” has been floating around for a while (cybersecurity researcher Kevin Beaumont reduced it to a report made to Microsoft on April 12) and uses Office functionality to retrieve an HTML file which in turn uses the Microsoft Support Diagnostic Tool (MSDT) to run code.
This is a nice find, it looks like a hole in the EDR tooling from the first tests. (Possibly more, surprises Word didn’t block this). https://t.co/jzPzkOskGg
— Kevin Beaumont (@GossiTheDog) May 29, 2022
Worse, it even works in Microsoft Word when macros are disabled.
The vulnerability was spotted on Twitter late last week by the @nao_sec accountwhich noted the use of ms-msdt to run PowerShell code.
As for mitigation, there isn’t much. The Huntress post on the matter suggested that users who use Microsoft Defender’s Attack Surface Reduction (ASR) rules can set the “Block all Office applications from creating child processes” option to “Block Mode”.
An alternative suggested by vulnerability analyst Will Dormann would be: remove the file type association for ms-msdt to prevent Office from launching the app.
Dormann told The registerTo: “Once you see the UI, it’s too late. So it doesn’t really matter.”
On the other hand, it is not sure to see the user interface. Beaumont told The registerTo: “The first wild example I saw is hiding the UI.”
Alternatively, security teams should warn users to be aware of attachments. An attacker using a Rich Text Format file in conjunction with the Windows preview pane could theoretically skip the step of requiring users to click the file in the first place.
While the first attack only executes code at the level of the user account that opened the malicious document, that access opens the door for more attacks that can escalate privileges. It’s also worth pointing out that the current exploit pops up the user interface for the Microsoft Support Diagnostic Tool, although it’s all too easy to imagine a user impatiently clicking past it.
Beaumont and other researchers have posted detection rules for Defender and the like, but vigilance is advised until the vulnerability is patched.
“Detection,” Beaumont wrote in a post on the subject, “probably won’t be great, as Word loads the malicious code from a remote template (web server), so nothing in the Word document is actually malicious.”
Interestingly, while Microsoft has not yet publicly acknowledged the issue, Beaumont noted that it appears to have been resolved in the very latest Insider and Current versions of Office. However, he reported that he found the hole in Office 2013 and 2016. Other users said they could exploit the vulnerability of a fully updated version of Office 2019, while Didier Stevens showed the exploit working in Office 2021†
As Beaumont said, “Historically, if there are simple ways to run code directly from Office, people use it to do bad things. This breaks the line of disabling macros.”
The register asked Microsoft for comment. That first report on April 12th was closed as it was not a security issue. “For the record,” Beaumont noted, “running msdt with macros disabled is a problem.”