Hackers Could Take Advantage of Zero Day Microsoft Office Vulnerability with Macros Disabled

Microsoft has released a security alert and has given a solution to stop a zero-day vulnerability identified in the Microsoft Windows Support Diagnostic Tool (MSDT) from exploitation.

The vulnerability is monitored as CVE-2022-30190 and has been called Follina by security experts. As per Microsoft, a remote code execution vulnerability is present when MSDT is called employing the URL protocol from a calling program for example Word.

During the weekend, security researcher nao_sec uncovered a Word document that was utilizing remote templates to implement PowerShell commands on specific systems through the MS-MSDT URL protocol program. In the latest blog article, security expert Kevin Beaumont mentioned that Microsoft Defender does not recognize the documents as malicious, and discovery through antivirus programs is bad because the documents employed to take advantage of the vulnerability don’t have any malicious code. Rather, they make use of remote templates to acquire an HTML file from a remote server, allowing a hacker to use malicious PowerShell commands.

A lot of email attacks that make use of attachments for sending malware demand that macros are activated; nevertheless, the vulnerability may be exploited despite macros being disabled. The vulnerability is taken advantage of when the attached file is opened. Beaumont likewise stated that zero-click exploitation is quite possible whenever an RTF file is employed, as the vulnerability could be exploited with no requirement to open the file through the preview tab in Explorer.

Microsoft stated in case an attacker successfully takes advantage of the vulnerability, malicious code may be executed with the privileges of the calling software. It would permit an attacker to set up applications, view, alter, or erase information, or make new accounts in the context granted by the user’s privileges. The vulnerability could be exploited in all Office versions beginning 2013, which include the present Office 365 version.

The vulnerability was originally reported to Microsoft last April and the vulnerability was designated a high severity CVSS score of 7.8 of 10 since Microsoft didn’t take into consideration the Follina vulnerability to be critical. Microsoft has currently provided a workaround and information that entails turning off the MSDT URL Protocol up to the point a patch is launched. Fast action is necessary to avoid the exploitation of the vulnerability. Vulnerabilities that may be taken advantage of using Office are speedily acquired by threat actors, specifically when they could be exploited with macros deactivated.

Several threat actors are recognized to be taking advantage of the vulnerability, such as the Chinese threat actor TA413, reported by Proofpoint. Palo Alto Networks Unit 42 team mentioned that based upon the volume of publicly accessible data, the convenience of use, and the real usefulness of this exploit, Palo Alto Networks strongly advises obeying Microsoft’s guidance to secure your enterprise right up until a patch is given to resolve the issue.