Attackers Can Exploit Zero Day Microsoft Office Vulnerability with Macros Disabled

Microsoft has published a security notification and has presented a workaround to stop a zero-day vulnerability found in the Microsoft Windows Support Diagnostic Tool (MSDT) from being taken advantage of.

The vulnerability is being tracked as CVE-2022-30190 and has been referred to as Follina by security researchers. As reported by Microsoft, there is a remote code execution vulnerability when MSDT is called utilizing the URL protocol from a calling application like Word.

During the weekend, security researcher nao_sec discovered a Word document that was using remote templates to carry out PowerShell commands on selected systems via the MS-MSDT URL protocol system. In a new blog post, security expert Kevin Beaumont stated that Microsoft Defender does not see the documents as malicious, and detection using antivirus tools is poor because the documents used to exploit the vulnerability do not include any malicious code. Instead, they take advantage of remote templates to obtain an HTML file from a remote server, enabling an attacker to execute malicious PowerShell commands.

The majority of email attacks that utilize attachments for delivering malware require that macros are enabled; nonetheless, the vulnerability may be exploited although macros are disabled. The vulnerability is leveraged when the file attachment is opened. Beaumont additionally revealed that zero-click exploitation can be done whenever an RTF file is utilized, as the vulnerability could be exploited with no need to open the document through Explorer’s preview tab.

Microsoft mentioned when an attacker successfully exploits the vulnerability, malicious code may be implemented with the privileges of the calling program. It would enable an attacker to install programs, view, modify, remove data, or create new accounts in the context permitted by the user’s rights. The vulnerability could be exploited in all Office versions starting 2013, which include the current version of Office 365.

The vulnerability was at first reported to Microsoft in April and the vulnerability was given a high severity CVSS score of 7.8 out of 10 since Microsoft did not take into account the Follina vulnerability to be critical. Microsoft has already given a workaround and instruction 
that requires deactivating the MSDT URL Protocol until eventually, a patch is available. Quick action is needed to avoid the exploitation of the vulnerability. Vulnerabilities that may be taken advantage of using Office are quickly used by threat actors, particularly when they could be exploited with macros deactivated.

Various threat actors are identified to be exploiting the vulnerability, such as the Chinese threat actor TA413, as per Proofpoint. Palo Alto Networks Unit 42 team stated that according to the quantity of publicly available information, the simplicity of use, and the great effectiveness of this exploit, Palo Alto Networks highly proposes sticking to Microsoft’s guidance to safeguard your enterprise until a patch is released to correct the problem.