Microsoft Office zero-day flaw 'Follina' uncovered by researchers
Word attack is possible even with macros turned off, no patch yet available
Cybersecurity researchers have uncovered a new zero-day vulnerability in Microsoft Office.
The flaw allows attackers to execute arbitrary code via the Microsoft Support Diagnostic Tool (MSDT). All it takes to exploit the vulnerability is for a victim to open an infected Word document.
The flaw, dubbed 'Follina' by the infosec community, was discovered when a Japanese security research group known as nao_sec found a Word document (05-2022-0438.doc) that was submitted to VirusTotal from a Belarusian IP address.
The document makes use of the Word remote template feature in order to retrieve an HTML file from a remote webserver. This HTML file then uses the ms-msdt MSProtocol URI scheme to load some code and run it in PowerShell.
MSDT is a utility that is used to troubleshoot and gather diagnostic data for the purpose of analysis and resolution of an issue by support experts.
Security expert Kevin Beaumont claimed in a post that he observed Microsoft Word executing the code via MSDT even when macros were turned off.
He added that the Protected View function in Microsoft Office, which is supposed to alert users of files originating from potentially unsafe places, does warn users of the likelihood of a malicious document. However, this warning can be easily bypassed by converting the document to a Rich Text Format (RTF) file.
The obfuscated code may then execute "without even opening the document via the preview tab in Explorer."
Beaumont refers to the flaw as 'Follina' because the sample that was found on the file has the number 0438, which is the area code for Follina in Italy.
Huntress Labs, a cybersecurity firm, conducted an independent investigation of the attack flow, and discovered that the HTML file ("RDF842l.html") that triggers the exploit comes from a domain named xmlformats[.]com that is no longer accessible.
"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer," Huntress Labs' John Hammond said.
It is reported that multiple versions of Microsoft Office, including Office 2013, Office 2016 and Office 2021, are vulnerable.
Richard Warren of the NCC Group was able to successfully demonstrate the vulnerability in Office Professional Plus with the April 2022 patches installed, while it was operating on an up-to-date Windows 11 computer with the preview pane turned on.
Researcher Didier Stevens showed that the attack is functional on a patched version of Microsoft Office 2021.
It is not known whether the zero-day flaw has been actively exploited by malicious parties.
Huntress recommends monitoring the processes running on the system in order to identify an attack via this vector. This is due to the fact that the Follina payload will generate a child process of 'msdt.exe' running underneath the malicious Microsoft Office parent.
On Monday, Microsoft disclosed the CVE identification for this vulnerability, which is CVE-2022-30190. The company also released a Security Update and an article with guidance.
However, Microsoft is yet to release a patch for the bug.
According to the information provided by the firm, an adversary who successfully exploits this vulnerability can execute arbitrary code with the privileges of the calling application.
"The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights," Microsoft said.
As a mitigating measure, Microsoft suggests disabling the MSDT URL protocol.
"Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters."