Cybersecurity researcher Nao_sec discovered a malicious Word document uploaded to VirusTotal by a user in Belarus. The document uses the remote template function to extract the HTML and then uses the "ms-msdt" schema to execute the PowerShell code. The issue affects Microsoft Office latest versions including Office 2016, and Office 2021.
Cybersecurity expert Kevin Beaumont has published a vulnerability analysis of the same. He named the vulnerability "Follina" because the spotted sample on the file references 0438, which is the area code of Follina in Italy. This cane to a zero-day exploit for Microsoft Office applications and the worst thing is, malicious actors are already exploiting in wild.
"I’ve tested this on various rigs and it works more common than not. For example, here is Windows 10, not local admin, with macros fully disabled, with Defender, with Office 365 Semi-Annual Channel, casually popping calc on open of a Word document:," Beaumont wrote in the report.
"However, with the Insider and Current versions of Office I can’t get this to work — which suggests Microsoft has either tried to harden something or tried to fix this vulnerability without documenting it. " Beaumont added.
Already exploiting in Wild, POC release
Later, many researchers started digging up the issue and many POCs videos came up. According to the POCs, Office 2013 and 2016, 2019, 2021, Office Pro Plus from April, etc.
Beaumont found that, over a month ago, a file-themed “invitation for an interview” with Sputnik Radio targeting users in Russia.
Many researchers started working on exploring the flaw. Security researcher, Cas van Cooten has released a non-malicious python exploit for testing purposes. Another workaround came from vulnerability analyst Will Dormann who suggest for remove the ms-msdt URI schema registry key (which requires local administrator rights) which can be done via Group Policy Preferences.
While there very may well be other dangerous protocols besides ms-msdt:, it's probably a good idea to unregister this protocol. Especially while this vulnerability is still unpatched!— Will Dormann (@wdormann) May 30, 2022
I've never seen its use in the real world until today.https://t.co/UHAqntUWYR
Recall that Microsoft began blocking the execution of VBA macros in five Microsoft Office applications. Starting April 2022, Microsoft Access, Excel, PowerPoint, Visio, and Word cannot enable macro scripts in untrusted documents downloaded from the Internet.
Microsft Ignore, Now Acknowledge the vulnerability
Initially, the leader of Shadowchasing1, an APT hunting group first reported the flaw to the Microsoft security team, but Microsoft MSRC closed the ticket saying not a security-related issue.
After the Security vendor, Nao_sec tweeted a document uploaded from Belarus, which is also an in the wild attack, and so many workarounds in the cyber security community maybe Microsoft has reconsidered the vulnerability.
On 30th May, Microsoft acknowledge the vulnerability (which was first closed saying not a security bug) and assigned the unique identity CVE-2022-30190 for remote code execution vulnerability in the Microsoft Support Diagnostic Tool (MSDT).
On the advisory, Microsoft wrote -
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Along with this Microsoft has also released the mitigation guide to fix the issue until the official patch.
First, Microsoft asked to disable the MSDT URL Protocol. Disabling the MSDT URL protocol prevents troubleshooters from being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.
Follow these steps to disable:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
With the same, you can reverse the above-performed workaround if you want, follow this-
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg import filename”
Furthermore, customers with Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer: