The Microsoft zero-day exploit is already wreaking havoc. Photo: Shutterstock
The Australian Cyber Security Center (ACSC) has issued a critical alert warning for a recently discovered Microsoft Office exploit “Follina” that is already wreaking havoc on Australian organizations, but was initially dismissed by the software giant. software as a “non-security issue”. “.
The exploit allows a remote actor to execute code under the privileges of the user who selected or opened the malicious document.
Microsoft has confirmed the Remote Code Execution (RCE) vulnerability in Microsoft Support Diagnostic Tool (MSDT), which can be triggered simply by opening a malicious Word document.
The vulnerability is now tracked as CVE-2022-30190but in April 2022, when it was discovered by security researchers, it was a zero-day exploit with no ID assigned.
This means that the RCE flaw was being actively exploited by threat actors even before Microsoft became aware of it.
The lack of an identifier gave rise to the nickname Follina, assigned by the security researcher Kevin Beaumontwho was among the first to write about it.
Due to the public availability of several proof-of-concept (PoC) examples, the potential impact of exploitation, and the massive attack surface, this zero-day is considered one of the most critical vulnerabilities in the year to date.
Discovery and exploitation
This collective of cybersecurity students seeks compromise APT indicators for fun, education, and contribution to research.
But Microsoft dismissed their report as a “non-security issue” in April, so the tech giant inadvertently allowed the exploit to continue for another month.
Proofpoint researchers published evidence of a Chinese APT (Advanced Persistent Threat) group exploiting Follina by delivering ZIPs containing Word documents that trigger it.
Fix and Workarounds
Currently, there is no fix available for CVE-2022-30190, and Microsoft has not provided an estimate of when a fix will arrive.
The next “Tuesday Patch” is scheduled to roll out on June 14, 2022, but day zero will most likely be resolved by an out-of-band security update.
The official bypass tips provided in Microsoft’s guidelines published on May 30, 2022, is to completely disable the MSDT URL protocol.
Unfortunately, even if users do not need this function, the change can only be applied by modifying the registry, which carries its own risks.
The ACSC also recommended that corporate networks prevent all Office applications from creating child processes.
Many experts have pointed out that the industry has not had time to study this flaw thoroughly, so even this “messy” workaround might not be effective against all possible attacks.
Default and impact
CVE-2022-30190 gives remote actors code execution capabilities on multiple versions of Microsoft Office, including fully patched Office 2013, 2016, 2019, and 2021, all widely used in the public and private sectors.
The problem lies in the way MDST is called from specific applications, including MS Office, using the URL protocol. This allows a remote actor to execute code under the privileges of the user who selected or opened the malicious document.
The first real-world exploits seen in April used zero day to run PowerShell on the system, but as security researchers point out, dropping payloads on the target system is also possible.
Microsoft highlights other potential repercussions in its advisory, including data manipulation, new account creation, program installation, and information disclosure.
While technically the flaw is triggered via a local mechanism, the vector is still practically remote, as the document triggering the exploit is sent via email and the dropped payload is controlled by a remote actor.
In subsequent infosec community testing to verify the vulnerability after it was disclosed on May 27, 2022, one of the security firms involved, huntress labdeveloped a no-click attack via an RTF document.
The Huntress Lab attack removes the need to trick the victim into opening the document, as simply selecting it would bring up MDST in the Explorer preview tab, triggering the exploit on all versions of Windows .
#Microsoft #Office #Day #Exploit #Warning