In a nutshell: Follina would not require elevated privileges or Office macros to be enabled, and it would not get detected by Windows Defender. It works on most fully-updated Office variations and working methods, with researchers declaring that it may be exploited even when a person selects a malicious file in Windows Explorer.
Researchers have simply revealed a brand new zero-day vulnerability in Microsoft Office, which the infosec group has dubbed Follina. It permits attackers to execute Powershell instructions by way of Microsoft Diagnostic Tool (MSDT) as soon as a malicious Word doc is opened.
What makes this vulnerability particularly harmful is that it utterly bypasses Windows Defender detection, works with out elevated privileges and would not require Office macros to be enabled. So far, it has been confirmed to be current in Office 2013, 2016, 2019, 2021, and some variations included with a Microsoft 365 license on each Windows 10 and 11.
A variety of of us have identified that Protected Mode is required when opening the Word doc. Just a reminder that formatting as a Rich Text File permits exploitation when Explorer’s preview pane possibility is enabled (no Enable Editing button both 😉 #Follina #MSDT
— Kyle Hanslovan (@KyleHanslovan) May 30, 2022
As Kevin Beaumont explains, a malicious doc makes use of the Word distant template function to retrieve an HTML file from a distant net server. This, in flip, makes use of the ms-msdt MSProtocol Uniform Resource Identifier (URI) scheme to execute code in Powershell.
Protected View, a function that alerts customers of information from doubtlessly unsafe places, does activate and flag the doc as doubtlessly malicious. However, by changing the doc to a Rich Text Format (RTF) file, the vulnerability may be exploited just by choosing the file (with out opening it) if Windows Explorer’s preview pane possibility is enabled.
It says pic.twitter.com/Z2AN7nq6hr
— crazyman_army (@CrazymanArmy) May 30, 2022
Interestingly, Microsoft was knowledgeable of this vulnerability in April, but it determined to dismiss it as the corporate could not replicate it.
Huntress Labs, a cybersecurity firm, says it expects attackers to take advantage of Follina by email-based supply and warns individuals to be vigilant about opening any attachments till the vulnerability will get patched.
