EXECUTIVE SUMMARY:
Microsoft has shared mitigation information to prevent attacks exploiting a newly uncovered Microsoft Office zero day flaw. With the flaw, hackers can execute malicious code remotely. The bug may impact the most recent version of Microsoft Office and has seen use in the wild.
Security researcher Kevin Beaumont dubbed the zero day “Follina,” because the zero day code references the Italy-based area code of Follina – 0438.
Mitigation for Office zero day
The vulnerability is a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability. “CrazymanArmy” of the Shadow Chaser Group first reported it to Redmond in April of this year.
Microsoft now tracks the bug as CVE-2022-30190. All windows versions that still receive security updates are potentially affected by the flaw (Windows 7+ and Server 2008+).
Zero day damage potential
The security researchers at Nao Sec observed that this zero day is used by hackers to execute malicious PowerShell commands via MSDT in what Microsoft describes as Arbitrary Code Execution (ACE) attacks during the Word document launch process or in the preview option.
Says Microsoft, “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.” Subsequently, the attacker can add programs, manipulate data or create new accounts in the context permitted by users’ rights.
Microsoft users retaining E5 licenses can potentially detect the exploit by appending the endpoint query to Defender. Further, the Attack Surface Reduction (ASR) rules may be of help in blocking the office applications from creating child processes.
From Microsoft, a workaround
According to Microsoft, administrators and individuals can preempt attacks exploiting CVE-2022-30190 by disabling the MSDT protocol. This stops malicious actors from launching troubleshooters and from executing code on vulnerable systems.
The process for disabling the MSDT URL protocol on a Windows device is as follows:
- Run Command Prompt as an Administrator.
- To create a backup of the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt.reg“
- Then, execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f“
Once Microsoft issues a CVE-2022-30190 patch, administrators can undo the workaround by launching an elevated command prompt and executing the reg import ms-msdt.reg command (the filename is identical to that of the registry backup established when disabling the protocol).
Although Microsoft notes that the Microsoft Office Protected View and Application Guard can block CVE-2022-30190 attacks, external analysts discovered that the security feature does not block exploitation attempts if targets preview the malicious content in Windows Explorer.
Thus, experts also advise admins to disable the Preview pane in Windows Explorer in order to remove the attack vector.
More zero day bug information
The first attacks exploiting this zero day bug emerged as long as seven weeks ago. The bug came to light after researchers discovered a malware-infected document uploaded from an IP address in Belarus.
The attack begins with phishing. Hackers then leverage invitations to Sputnik Radio interviews and sextortion threats as bait.
For more information about this threat, visit BleepingComputer or please check back later to see an updated version of this article. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.
