[Updated]Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)

Credit to Author: Pieter Arntz| Date: Mon, 30 May 2022 18:09:26 +0000

Several researchers have come across a novel attack that circumvents Microsoft’s Protected View and anti-malware detection.

The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the ms-msdt protocol URI scheme to load some code, and then execute some PowerShell.

All of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn’t it?

Well, you’d be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems.

Jerome Segura, Malwarebytes’ Senior Director, Threat Intelligence:

This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office’s remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.

The most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office Follina, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.

The first researcher to find and report Follina used in the wild goes by the handle @CrazymanArmy. Our own analyst Hossein Jazi had also spotted the same maldoc, although at the time the remote template was down, leaving out a critical piece of the attack chain.

It was more recently made public again by @nao_sec.

Affected versions

Under normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.

While the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.

Researcher Kevin Beaumont provides the example where an attacker can send an email with this text as a hyperlink:

ms-excel:ofv|u|https://blah.com/poc.xls

And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.

As we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.

Mitigation

There are a few things you can do to stop some or all of the “features” used in this type of attack.

Unregister the ms-msdt protocol

Will Dormann, a vulnerability analyst at the CERT/CC has published a registry fix that will unregister the ms-msdt protocol.

Copy and paste the text into a notepad document:

  • Click on File, then Save As…
  • Save it to your Desktop, then name the file disable_ms-msdt.reg in the file name box.
  • Click Save, and close the notepad document.
  • Double-click the file disable_ms-msdt.reg on your desktop.

Note, if you are prompted by User Account Control, select Yes or Allow so the fix can continue.

  • A message will appear about adding information into the registry, click Yes when prompted
  • A prompt should appear that the information was added successfully

Disable preview in Windows Explorer

If you have the preview pane enabled, you can:

  • Open File Explorer.
  • Click on View Tab.
  • Click on Preview Pane to hide it.

Enable Malwarebytes’ Block penetration testing attacks

The Malwarebytes’ Block penetration testing attacks setting is an aggressive detection setting that will block this attack. It is not enabled by default because while enabling it provides additional blocking capabilities for Exploit Protection it can increase false positives, or result in other application conflicts.

To enable it:

  • Open Settings
  • Click Security
  • Choose Advanced settings
  • Tick Block penetration testing attacks

Update May 31, 2022

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

The workaround offered by Microsoft consists of an alternative method to unregister the MSDT URL Protocol.

The post [Updated]Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug) appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/

Leave a Reply