SECRET OF CSS

A Severe Zero-Day Vulnerability Riddles Microsoft Office


Researchers discovered a security issue affecting Microsoft Office that could allow remote code execution attacks. The vulnerability caught the attention as a zero-day as researchers noticed it under attack, targeting Microsoft Office apps.

Microsoft Office Zero-Day

A security researcher with the alias crazymanarmy from the Shadow Chaser Group recently reported a serious Microsoft Office vulnerability. Exploiting the vulnerability via maliciously crafted Office files like Word documents allows an adversary to wage a remote code execution attack.

Following this disclosure, an independent cybersecurity research team named “nao_sec” labeled this Microsoft Office vulnerability as a zero-day. A malicious Word file submission from Belarus on VirusTotal depicts that the threat actors had already exploited the flaw.

In addition, numerous other researchers also analyzed the vulnerability to share the exploit details. Dubbing it “Follina”, the researcher Kevin Beaumont shared a detailed write-up elaborating on how a malicious Word document in the wild missed Microsoft Defender for Endpoint detection.

Beaumont also highlighted how the attack existed in the wild since April, involving numerous Russian threat actors. Likewise, the researcher Will Dormann also shared a detailed thread on Twitter elaborating on the exploit.

Although, according to Beaumont, Microsoft knew of the vulnerability earlier, however, the tech giant didn’t consider it an issue. Yet, the Redmond giant has now acknowledged the vulnerability officially.

Describing the vulnerability in an explanatory blog post, Microsoft stated,

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Recommended Mitigations

This vulnerability has received the identification ID CVE-2022-30190. Microsoft labeled it as a high-severity vulnerability that attained a CVSS score of 7.8.

Currently, no permanent fix for the vulnerability exists. However, the tech giant has shared a workaround to avoid exploits that involves disabling the MSDT URL Protocol.

In addition, Dormann advises users to disable the “Preview” pane in Windows Explorer since it adds to the exploit. He demonstrated such an attack in a short video.

Besides, Microsoft confirms strengthening its Defender Antivirus to detect and prevent the threat with the following signatures.

  • Trojan:Win32/Mesdetty.A  (blocks msdt command line)
  • Trojan:Win32/Mesdetty.B  (blocks msdt command line)
  • Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
  • Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
  • Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)

Let us know your thoughts in the comments.





News Credit

%d bloggers like this: