Microsoft Office zero day leaves researchers scrambling over the holiday weekend

UPDATE: May 31, 2022: The Cybersecurity and Infrastructure Security Agency urged administrators and users to review Microsoft's guidance on a workaround to the Follina vulnerability, which affects the Microsoft Support Diagnostic Tool in Windows.

The vulnerability allows a remote, unauthenticated user to take control over a system by exploiting downloaded Microsoft Office documents, according to researchers. Researchers say a patch has not been issued.

Microsoft has reported active exploitation of this vulnerability in the wild, CISA said.

Dive Brief:

• Researchers over the Memorial Day holiday disclosed a zero-day vulnerability in Microsoft Office, which allows an attacker to gain remote code execution when a user downloads a malicious Word document. The vulnerability, discovered on May 27 by Nao_Sec, was dubbed “Follina” by researcher Kevin Beaumont.
• The attack can exploit the vector using Microsoft Office documents to open a Microsoft Diagnostics Tool (MSDT) file handler, according to John Hammond, senior security researcher at Huntress. After using phishing or social engineering to get users to open an attached file, an attacker could gain persistent access, move laterally and escalate user privileges to access inside of a system.  
• Microsoft issued guidance on the vulnerability late Monday and published a security update under CVE-2022-30190. The company said an attacker who successfully exploits the vulnerability can install programs, view, change or delete data or create new accounts in the context allowed by the user’s rights, according to the blog. Researchers say there is so far no known patch.

Dive Insight:

Researcher @nao_sec uncovered the vulnerability on May 27 while looking on VirusTotal for prior attacks involving CVE-2021-40444, according to Hammond. The previous vulnerability allowed arbitrary code execution using Office or RTF files. 

The new vulnerability was connected to a document submitted from Belarus, which used the external link in Word to load HTML and then executed a PowerShell code using “ms-msdt,” according to a May 27 post on Twitter. 

According to Beaumont, the vulnerability appears to be exploitable on all versions of Office 365 files when using an .RTF file. 

Though a new zero day, defense comes down to security basics. Organizations can help prevent an attack like this by educating users on how to spot phishing and social engineering campaigns. 

“Educating users to identify and delete malicious emails remains your best line of defense until a patch is available to deploy to your endpoints,” Hammond said via email. 

In the interim, organizations should look out for rogue child processes created under Microsoft Office products, including msdt.exe and sdiagnhost.exe. 

Microsoft suggested disabling MSDT URL protocol as a workaround, which prevents troubleshooters from launching as links. 

Customers with Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic-sample submission, Microsoft said. They use artificial intelligence and machine learning to identify and stop new and unknown threats, according to the company.

Comments are closed.