Zero-Day bug left Microsoft Office open to malware deployment


The vulnerability, which was spotted used in the wild for weeks, allows deploying malware from a remote server bypassing Microsoft’s Defender antivirus.

The bug came to light after security researchers at Nao Sec found a malware-infected document on virus total uploaded from an IP address within Belarus.

After further investigation, security researcher Kevin Beaumont dubbed the flaw ‘Follina’ since the ‘spotted sample on the file references 0438, which is the area code of Follina in Italy.’

ADVERTISEMENT

Unlike most Microsoft Office-related flaws, Follina exploits do not rely on the use of macros, Office’s automation tool. Instead, the flaw allows using the Microsoft Word remote template feature.

“The document uses the Word remote template feature to retrieve a HTML file from a remote web server, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell. That should not be possible,” Beaumont wrote.

The flaw allows executing code via the Microsoft Support Diagnostic Tool (MSDT) with macros disabled. In some cases, it allows running the malicious code even without opening the infected document.

Researchers noted that the earliest exploit of the bug in the wild was in April. Beaumont wrote that Follina was exploited to target Russia with a document masquerading as an interview invitation to talk at Russia’s state-controlled Sputnik Radio.

Researchers claim that the flaw can be exploited with fully updated versions of Office 2019. Others showed it could be exploited with Office 2021.

Microsoft’s Security Response Center (MSRC) released guidance to mitigate the issue. While the company admits the flaw, which was assigned CVE-2022-30190 number, allows for a remote code execution (RCE) attack, it did not call it a zero-day exploit.

ADVERTISEMENT