New Microsoft Office Zero-Day ‘Follina’ Exploited in Remote Code Execution Attacks
Security researchers recently discovered a new Microsoft Office zero-day flaw exploited in PowerShell remote code execution attacks. The new vulnerability, tracked as CVE-2022-30190, would let hackers execute malicious PowerShell commands through Microsoft Diagnostic Tool (MSDT).
Researchers believe the flaw, dubbed “Follina,” has been around for a while, as they traced it back to a Microsoft report made on April 12. The vulnerability leverages Office functionality to download an HTML file, which exploits the MSDT to let attackers execute code remotely on compromised devices.
To make matters worse, Follina works without elevated privileges, can bypass Windows Defender detection, and doesn’t need macro code enabled to run scripts or execute binaries. The flaw was discovered by accident last Friday when security researcher nao_sec stumbled upon a malicious Word document submitted to a virus scanning platform.
The researcher posted a screenshot of some obfuscated code used by the malicious file, which security researcher Kevin Beaumont deobfuscated. Beaumont said the code is a command-line string that can be executed by Microsoft Word through MSDT, even if macros are not enabled.
Running the PowerShell script would extract a Base64-encoded file from a RAR archive on the compromised device and execute it. However, the nature of the malicious activity remains unclear, as the extracted file is no longer available.
Microsoft Office’s Protected View feature triggers to warn users of potentially unsafe documents. However, Beaumont believes that converting the document to a Rich Text Format (RTF) file could allow attackers to bypass this warning and even run the obfuscated code “without even opening the document (via the preview tab in Explorer).”
Yesterday Microsoft published a brief guide to workarounds and recommendations to help customers mitigate the newly discovered vulnerability. Currently, disabling the MSDT URL protocol seems to be the safest option.
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022