Security researchers warned of exploitation noticed in the network, which Microsoft confirmed. So it looks like Windows and Office are affected by a zero-day vulnerability.
Windows has a security hole. It’s tracked as CVE-2022-30190. “nao-sec” reported a malicious Word file that anybody can use to execute arbitrary PowerShell code. It looks like Belarus is a source of this file because it was uploaded to VirusTotal from that country.
One of the first who analyzed the exploit was researcher Kevin Beaumont. He named it “Follina” because the malicious file references 0438, the area code for the Italian village of Follina.
Unfortunately, Microsoft has known about the vulnerability since April. “CrazymanArmy” of the Shadow Chaser Group, a research team focusing on APT hunting and analysis, notified Microsoft about this vulnerability.
Moreover, Microsoft initially classified it as “not a security-related issue”.
According to Microsoft, the “issue has been fixed,” but a patch does not appear to be available.
Even though initially this was described as a Microsoft Office zero-day vulnerability, Microsoft clarified that Follina affects the Microsoft Support Diagnostic Tool (MSDT). MSDT collects user/device information and sends it to Microsoft support.
Cybercriminals could use this vulnerability to run a code, install/change/delete data, or modify accounts.
According to Microsoft (advisory for CVE-2022-30190):
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,
In the past, most exploits used macros to execute some code. Currently, it’s even worse because this attack does not use macros. Therefore, regardless macros are enabled or not, the malicious code can be executed.
Everything gets even more interesting because Beaumont noticed an invitation to an interview with Sputnik Radio that is supposed to work as bait and target Russian users.
Researchers have confirmed that exploitation works against multiple versions of Microsoft Office:
- Office Pro Plus,
- Office 2013,
- Office 2016,
- Office 2019
- Office 2021.
What is more, Microsoft informed that this vulnerability affects Windows Operating Systems:
- Windows 7,
- Windows 8.1,
- Windows 10,
- Windows 11,
- Windows Server 2008,
- Windows Server 2012,
- Windows Server 2016,
- Windows Server 2019,
- Windows Server 2022.
Nonetheless, if you update your system regularly, you should be safe. New Defender updates should detect and block files associated with this vulnerability. Still, to be safe, it’s good to check Microsoft’s guidance regarding this remote code execution vulnerability, including workarounds – Microsoft guidance
Various cybersecurity firms have published an analysis of the exploit:
- Huntress,
- Malwarebytes,
- Sophos,
- …
It’s also possible to find online proof-of-concept (PoC) exploits.