A zero-day vulnerability (meaning no patch currently exists to fix the flaw) in Microsoft Office was discovered and reported over the weekend that involves remote code execution simply through the opening of a Word document, even in preview mode. Microsoft has issued CVE-2022-30190 in response to this flaw, though this bug is generally being referred to as the Follina vulnerability.
When the malicious Word document is opened even in preview mode, the file executes malicious PowerShell commands via Microsoft Diagnostic Tool (MSDT) providing the attacker elevated privileges (up to and including root or full system access) on the remote target PC or server.
This code works even if the target end user does not have any elevated privileges on the PC or network and is currently evading Microsoft Defender detection.
Currently there is no patch to correct this vulnerability, and there are no clear or simple workaround fixes to mitigate this threat. There are some potential mitigation registry changes under investigation / consideration, but at this time, the IT security industry has not had enough time to study the short term and long term impacts of these types of changes.
The best advice going forward is to be very cautious when receiving and opening Microsoft Office attachments via email:
Do not open or preview MS Office attachments from unknown email senders
Even when the sender is known, be very cautious before opening any attachments. Ask yourself - was this email expected? Is this the file name and type I should expect?
Make sure to warn your users about this issue and how to be extra vigilant when receiving and opening email attachments
The following are several links providing additional details about this threat:
UPDATE (June 1, 2022):
Microsoft has officially released a workaround option for this vulnerability. Per the team at ThreatPost and Microsoft -
While no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This “prevents troubleshooters being launched as links including links throughout the operating system,” the company wrote in their advisory.
To do this, users must follow these steps: Run “:Command Prompt as Administrator“; Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“; and execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
“Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” the company said.
As these steps involve registry changes that could have an ongoing impact on system performance, caution should be taken before implementing this workaround. This workaround should only be considered in high risk situations where the threat of exploitation is significant. If other mitigating controls are in place including strong email gateway filtering, advanced endpoint malware protection, and effective end user awareness training, then this workaround may not be an immediate need.
Comments