Microsoft Office zero-day

Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)

Update: Please see our FAQfor the latest guidance and mitigation tips on Follina.

On Monday May 30, 2022, Microsoft issued CVE-2022-30190regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

The mitigationoffered by Microsoft consists of an alternative method to unregister the MSDT URL Protocol.
Several researchers have come across a novel attack that circumvents Microsoft’s Protected View and anti-malware detection.

The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the ms-msdtprotocol URI scheme to load some code, and then execute some PowerShell.

All of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn’t it?

Well, you’d be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems.

Jerome Segura, Malwarebytes’ Senior Director, Threat Intelligence:

This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office’s remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.

The most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office Follina, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.

The first researcher to find and report Follina used in the wild goes by the handle @CrazymanArmy. Our own analyst Hossein Jazi had also spotted the same maldoc, although at the time the remote template was down, leaving out a critical piece of the attack chain.

It was more recently made public again by @nao_sec.

Affected versions

Under normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.

While the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.

Researcher Kevin Beaumont provides the examplewhere an attacker can send an email with this text as a hyperlink:

ms-excel:ofv|u|https://blah.com/poc.xls

And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.

As we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.

Mitigation

There are a few things you can do to stop some or all of the “features” used in this type of attack.

Unregister the ms-msdt protocol

Will Dormann, a vulnerability analyst at the CERT/CC has published a registry fixthat will unregister the ms-msdt protocol.

Copy and paste the text into a notepad document:

  • Click on File, then Save As…
  • Save it to your Desktop, then name the file in the file name box.
    disable_ms-msdt.reg
  • Click Save, and close the notepad document.
  • Double-click the file on your desktop.
    disable_ms-msdt.reg

Note, if you are prompted by User Account Control, select Yesor Allowso the fix can continue.

  • A message will appear about adding information into the registry, click Yeswhen prompted
  • A prompt should appear that the information was added successfully

Disable preview in Windows Explorer

If you have the preview pane enabled, you can:

  • Open File Explorer.
  • Click on ViewTab.
  • Click on Preview Paneto hide it.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.