{"id":19181,"date":"2022-05-30T10:10:09","date_gmt":"2022-05-30T18:10:09","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/05\/30\/news-12914\/"},"modified":"2022-05-30T10:10:09","modified_gmt":"2022-05-30T18:10:09","slug":"news-12914","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/05\/30\/news-12914\/","title":{"rendered":"Microsoft Office zero-day “Follina”\u2014it\u2019s not a bug, it\u2019s a feature! (It’s a bug)"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Mon, 30 May 2022 18:09:26 +0000<\/strong><\/p>\n

Several researchers have come across a novel attack that circumvents Microsoft’s Protected View and anti-malware detection.<\/p>\n

The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the ms-msdt<\/code> protocol URI scheme to load some code, and then execute some PowerShell.<\/p>\n

All of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn\u2019t it?<\/p>\n

Well, you’d be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems. <\/p>\n

Jerome Segura, Malwarebytes’ Senior Director, Threat Intelligence:<\/p>\n

\n

This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office’s remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.<\/p>\n<\/blockquote>\n

The most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office Follina<\/strong>, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.<\/p>\n

Affected versions<\/h2>\n

Under normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.<\/p>\n

While the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.<\/p>\n

Researcher Kevin Beaumont provides the example<\/a> where an attacker can send an email with this text as a hyperlink:<\/p>\n

ms-excel:ofv|u|https:\/\/blah.com\/poc.xls<\/pre>\n
And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn\u2019t attached to the email, and the URI doesn\u2019t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.<\/p>\n
As we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.<\/p>\n
Mitigation<\/h2>\n
There are a few things you can do to stop some or all of the \u201cfeatures\u201d used in this type of attack.<\/p>\n
Unregister the ms-msdt protocol<\/h3>\n
Will Dormann, a vulnerability analyst at the CERT\/CC has published a registry fix<\/a> that will unregister the ms-msdt protocol.<\/p>\n
Copy and paste the text into a notepad document:<\/p>\n