Warning about exploitation of 0-day vulnerability in Microsoft Office – Word ms-msdt (Follina)

UPDATE 01.06.2022 at 17:20: Warning of active vulnerability exploitation and added mitigation recommendations

UPDATE 31.05.2022 at 13:40: Added CVE and vulnerability mitigation method

The National Cyber Security Centre SK-CERT warns of a critical 0-day vulnerability in Microsoft Office. The vulnerability is currently being actively exploited by attackers and there is a very high assumption that they can hit the Slovak cyberspace in their attack activities.

The critical vulnerability, which has not yet been assigned the CVE identifier CVE-2022-30190, is particularly serious as it is more suitable for email phishing attacks than the currently used malicious office documents requiring macro permissions. Once the malicious Office document is opened, the user does not need to enable macros and the code itself is immediately executed with user privileges.

The security researcher who discovered the vulnerability noted in his analysis that for Rich Text Format (.rtf) documents, the malicious code can already be executed during the Preview panel in Windows explorer, which increases the criticality of the vulnerability and can be executed without the user ever having to open the file.

Vulnerability, exploits the “MS diag tool” mechanism in Office, which is used to send diagnostic data. When previewing or opening a malicious document, a specially prepared HTML file is automatically downloaded, which then executes malicious code on the computer by exploiting the “ms-msdt://” function. The vulnerability has so far only been confirmed in Microsoft Word, but it cannot be excluded in other Office applications.

An exhaustive list of vulnerable versions of Microsoft Office is not yet known. So far, the vulnerability has been confirmed in the following versions (as of 30.05.2022):

• MS Office 2013
• MS Office 2016
• MS Office 2019
• MS Office 2021
• MS Office Pro Plus (April 2022)
• MS Office 365 Semi-Annual Channel

Recommendations

NCKB SK-CERT recommends temporarily not using Microsoft Word to open documents from unverified unknown sources. As an alternative, alternative office suite can be used in unavoidable cases.

We also recommend updating the antivirus product and its database and then manually scanning all Office documents received recently. Please report any occurrence of this malicious code to [email protected].

We also recommend that organizations check their mail for Office documents (especially documents with .rtf, .doc, .docx, .docm, .xls, .xlsx, .xlsm, .ppt, .pptx extensions) received recently, especially since May 25th. Attackers may also send malicious attachments packed in a .zip archive, so it is important to also check mail with such attachments. We recommend that all non-standard, unsolicited or suspicious files be packed in a .zip archive protected with the password “infected” (without quotes) and emailed to [email protected].

Microsoft has released a workaround on Windows systems for this vulnerability. The temporary mitigation is to disable the MSDT URL Protocol as follows:

1. Run the command prompt as Administrator.
2. back up the current key value in the registry by running the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename” (choose the filename value as you wish)
3. execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

The complete procedure on how to apply the workaround along with additional information can be found at https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/.

Other measures that can be applied to mitigate the vulnerability:

• Enable cloud protection and automatic sending of samples via Microsoft Defender (this is a measure Microsoft recommends you consider as it could also result in unwanted sending of your sensitive content)
• Reduce attack possibilities by disabling sub-processes in Office applications (disabling child processes or processes run by Microsoft Office)
• disable the MSDT protocol on Windows devices
• disable MSDT via AppLocker
• disable the preview pane in Windows Explorer

Vulnerability analysis is still ongoing and the article will be updated if new information is found.

Resources:

• https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html
• https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
• https://twitter.com/buffaloverflow/status/1530866518279565312
• https://twitter.com/GossiTheDog/status/1531185196619468801?ref_src=twsrc%5Etfw
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

« Späť na zoznam