A zero-day remote code execution vulnerability in Microsoft Office has come to light, and is considered very serious with a 7.8 out of 10 on the Common Vulnerability Scoring System (CVSS) due to potential for code execution if a victim opens a malicious document in Word.
Microsoft has not patched the issue, but is disclosing it to the public with the suggestion of a possible fix: disabling a protocol that allows the Microsoft Support Diagnostic Tool (MSDT) to be launched as a link. The vulnerability has reportedly been exploited in the wild since April.
Zero-day in Office technically a “zero click,” but malicious file must be selected
The zero-day remote code execution vulnerability has been named “Follina” after an Italian countryside village that shares an area code with the malicious file reference. The vulnerability was actually outlined in a bachelor’s thesis in August 2020, and Microsoft security patched out a similar remote code execution flaw in Microsoft Teams in August 2021 (but did not patch Office or MSDT). The possibility of using MSDT for a zero-day was once again raised in an independent security researcher’s blog in March of this year, and the first exploitation of the technique was observed by an advanced persistent threat (APT) monitoring group in April. This was reported to Microsoft, but the ticket was closed fairly quickly and dismissed as not being a security concern.
After further uses of the vulnerability for remote code execution in the wild were reported in May, Microsoft finally took action and classified it as a zero-day vulnerability on May 31 (CVE-2022–30190). CISA has also issued an advisory about it, and it has been added to the VirusTotal malware scanning service. Microsoft also retroactively acknowledged the original researcher who filed the first report in April.
The vulnerability abuses the ability of MSDT to load other assistant “wizards” in Windows, which in turn have the ability to execute arbitrary code from a remote location. The chain of compromise starts with a malicious document sent to the target, which loads an HTML file from a remote server in Word, which then exploits the MSDT URL Protocol to execute code and run a PowerShell session that gives the attacker privileged access to the target system. The attacker is able to view and edit files, install programs and create new user accounts to the limit of the compromised user’s access rights.
The initial versions spotted in the wild required the target to open the malicious document in Word, but security researchers have since come up with a variant using Rich Text Format (.RTF) that works if the user simply selects the file in Windows Explorer (essentially making it a zero click vulnerability). Microsoft has yet to issue a patch, but suggests that disabling the MSDT URL Protocol will cut off the attack sequence (which involves editing of a registry key). The MSDT is not a necessity for most Windows users, but can still be accessed if needed via the “Get Help” application or through system settings.
Casey Ellis, Founder and CTO at Bugcrowd, provided some added firsthand insight on the seriousness level of this threat: “I watched Follina unfold over the weekend. It appears to be trivially exploitable, and very powerful/flexible in the security context of the logged in user given its ability to bypass Windows Defender. It’s also particularly dangerous in that Microsoft Macros are the typical focus for code execution payloads via Microsoft Office products, so user awareness training on “Not Enabling Macros” doesn’t mitigate the risk.”
Remote code execution vulnerability being used by nation-state threat groups
Security researchers believe the April attack involved targets in Russia, and remote code execution attacks logged in May were used against targets in Belarus. Other incidents indicate that Chinese APT groups may have adopted the zero-day in their attacks.
One of the targets in Russia was sent a malicious document purporting to be an invitation to come to a job interview at Sputnik Radio, a state-owned news agency. Another attacker claimed to have photos of the target engaged in an extramarital affair. Yet another attacker is posing as the “Women Empowerments Desk” of the Central Tibetan Administration; this has led security researchers to believe that Chinese threat groups have taken the attack up. Researchers see evidence of APT group TA413 being involved, a group that has been highly active in phishing organizations doing Covid-19 research and that is known to target Tibetan dissidents.
The zero-day vulnerability does not necessarily work in all versions of Office. At this point, remote code execution has been verified in Office 2013, 2016, 2019, 2021, ProPlus, and 365. Other versions are still being tested.
Anton Ovrutsky, Adversarial Collaboration Engineer at LARES Consulting, notes that even though Microsoft has begun to make moves to curb vulnerabilities in macros, Office is still a highly vulnerable environment: “Microsoft Office products present threat actors with an attractive attack surface as employees are constantly working with various documents as part of their job responsibilities. Although Microsoft has implemented several hardening changes – including disabling macro functionality by default in the latest Office versions – this recent zero-day demonstrates not only the large attack surface found in Office but also the need to properly harden and monitor Office applications on the endpoint level, from a detection and response standpoint. Having Office-specific telemetry available, through free products like Sysmon or commercial endpoint detection and response (EDR) products provides organizations with the ability to track malicious Office activity, regardless of whether a particular attack is known or a zero-day.”
Microsoft has yet to issue an official patch for the zero-day that puts an end to the possibility of remote code execution, but an unofficial patch has been made available from the 0patch micropatching service. The patch removes the possibility of abuse of the Windows diagnostic wizards without disabling MSDT in any way. It is currently available for Windows Server 2008 R2, Windows 7, most recent versions of Windows 10 and Windows 11 v21H2.