1 min read

New Microsoft Office Zero-Day ‘Follina’ Exploited in Remote Code Execution Attacks

Vlad CONSTANTINESCU
Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
New Microsoft Office Zero-Day ‘Follina’ Exploited in Remote Code Execution Attacks

Security researchers recently discovered a new Microsoft Office zero-day flaw exploited in PowerShell remote code execution attacks. The new vulnerability, tracked as CVE-2022-30190, would let hackers execute malicious PowerShell commands through Microsoft Diagnostic Tool (MSDT).

Researchers believe the flaw, dubbed “Follina,” has been around for a while, as they traced it back to a Microsoft report made on April 12. The vulnerability leverages Office functionality to download an HTML file, which exploits the MSDT to let attackers execute code remotely on compromised devices.

To make matters worse, Follina works without elevated privileges, can bypass Windows Defender detection, and doesn’t need macro code enabled to run scripts or execute binaries. The flaw was discovered by accident last Friday when security researcher nao_sec stumbled upon a malicious Word document submitted to a virus scanning platform.

The researcher posted a screenshot of some obfuscated code used by the malicious file, which security researcher Kevin Beaumont deobfuscated. Beaumont said the code is a command-line string that can be executed by Microsoft Word through MSDT, even if macros are not enabled.

Running the PowerShell script would extract a Base64-encoded file from a RAR archive on the compromised device and execute it. However, the nature of the malicious activity remains unclear, as the extracted file is no longer available.

Microsoft Office’s Protected View feature triggers to warn users of potentially unsafe documents. However, Beaumont believes that converting the document to a Rich Text Format (RTF) file could allow attackers to bypass this warning and even run the obfuscated code “without even opening the document (via the preview tab in Explorer).”

Yesterday Microsoft published a brief guide to workarounds and recommendations to help customers mitigate the newly discovered vulnerability. Currently, disabling the MSDT URL protocol seems to be the safest option.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

"Fake crypto millionaire" charged with alleged $1.7M cryptomining scam "Fake crypto millionaire" charged with alleged $1.7M cryptomining scam
Graham CLULEY

September 23, 2022

2 min read
Attackers Used OAuth Apps to Control Exchange Servers and Spread Spam Attackers Used OAuth Apps to Control Exchange Servers and Spread Spam
Vlad CONSTANTINESCU

September 23, 2022

2 min read
Disgruntled Developer Leaks LockBit Ransomware Builder Online Disgruntled Developer Leaks LockBit Ransomware Builder Online
Vlad CONSTANTINESCU

September 22, 2022

2 min read