Cybersecurity experts are raising the alarm about a Zero-day remote code execution vulnerability in Microsoft Office, which has been dubbed “Follina”. It surfaced after the nao_sec team came across the 05-2022-0438.doc Word file, which was submitted to the VirusTotal from a Belorussian IP address.
This vulnerability allows an attacker to run arbitrary code with the privileges of the calling application. Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from an application such as Microsoft Word. The attacker can then install programs, view, change, or delete data, or create new accounts as allowed by the user’s rights. The biggest problem is that Word will run the code with MSDT even if the macros are disabled. This has been demonstrated despite claims by Microsoft that Protected View or Application Guard could prevent a current attack.
This vulnerability affects all supported Windows versions and several Office versions, including Office 2013, 2016, and 2021. Unfortunately, no known patch is available, as infected files delivered through email or other initial access methods do not trigger an Antivirus/EDR response. The temporary solution offered by Microsoft includes Defender for Endpoint attack surface reduction rule, and Defender Antivirus build 1.367.719.0 or newer.
It is reported that the following Microsoft 365 Defender alerts might indicate exploitation of this vulnerability: Suspicious behavior by an Office application, and Suspicious behavior by Msdt.exe.
We are now waiting for immediate actions from the security vendors. In the meantime, we can use POC code samples that help identify exposure to respond to the threat promptly. These samples are already publicly available on GitHub.
Stay with Soteryan for timely and actionable advice on malware, Zero-day vulnerabilities, and more cybersecurity expertise from your reliable partner.