Microsoft Acknowledges Zero-Day, Follina Office Vulnerability, Suggests Fix

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Microsoft released an advisory on Monday acknowledging the zero-day Office flaw dubbed ‘Follina’ and suggested a possible fix for it.

The document assigned the vulnerability the identifier CVE-2022-30190 and a rating of 7.8 out of 10 on the Common Vulnerability Scoring System (CVSS) on the basis that its exploitation may enable malicious actors to achieve code execution on affected systems.

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” Microsoft wrote.

From a technical standpoint, the malicious document used the Word remote template feature to download an HTML file from a remote server, which then used the MSDT (Microsoft Support Diagnostic Tool) URL Protocol to load some code and enable the execution of a PowerShell session.

“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

In the advisory, Microsoft thanked crazyman, a member of the Shadow Chaser Group, for spotting and reporting the flaw back in April.

The vulnerability was then reportedly uploaded from an IP address in Belarus to the VirusTotal malware scanning service in May and analyzed by security researcher Kevin Beaumont (nao_sec), who named it “Follina” after the eponymous Italian village, as the malicious file reference (0438) was the same as the village’s area code.

Writing in the advisory, Microsoft also suggested a possible fix, which essentially consists of disabling the MSDT URL Protocol altogether.

“Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.”

In other words, if the calling application is a Microsoft Office application, by default, Microsoft Office will documents from the internet in ‘Protected View’ or ‘Application Guard for Office’, both of which stop the Follina attack.

“Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” Microsoft added.

Further, the technology giant recommended users relying on Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission.

“These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.”

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Linux Cerber Ransomware Variant Exploits Atlassian Servers
Russia and Ukraine Top Inaugural World Cybercrime Index
OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Leave a Reply

Your email address will not be published. Required fields are marked *