Microsoft released an advisory on Monday acknowledging the zero-day Office flaw dubbed ‘Follina’ and suggested a possible fix for it.
The document assigned the vulnerability the identifier CVE-2022-30190 and a rating of 7.8 out of 10 on the Common Vulnerability Scoring System (CVSS) on the basis that its exploitation may enable malicious actors to achieve code execution on affected systems.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” Microsoft wrote.
From a technical standpoint, the malicious document used the Word remote template feature to download an HTML file from a remote server, which then used the MSDT (Microsoft Support Diagnostic Tool) URL Protocol to load some code and enable the execution of a PowerShell session.
“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
In the advisory, Microsoft thanked crazyman, a member of the Shadow Chaser Group, for spotting and reporting the flaw back in April.
The vulnerability was then reportedly uploaded from an IP address in Belarus to the VirusTotal malware scanning service in May and analyzed by security researcher Kevin Beaumont (nao_sec), who named it “Follina” after the eponymous Italian village, as the malicious file reference (0438) was the same as the village’s area code.
Writing in the advisory, Microsoft also suggested a possible fix, which essentially consists of disabling the MSDT URL Protocol altogether.
“Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.”
In other words, if the calling application is a Microsoft Office application, by default, Microsoft Office will documents from the internet in ‘Protected View’ or ‘Application Guard for Office’, both of which stop the Follina attack.
“Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” Microsoft added.
Further, the technology giant recommended users relying on Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission.
“These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.”