Vulnerability

Follina- New Zeroday RCE in Microsoft Office

Posted on

Several security researchers have discovered an active campaign targeting a new Zero-day vulnerability (Microsoft Office ms-msdt Protocol Handler Arbitrary Code Execution (Follina), CVSS score of 9.3) that allows code execution in Microsoft Office products. Microsoft Office contains a flaw that is triggered upon invoking the Microsoft Support Diagnostic Tool (MSDT) via ‘ms-msdt’ protocol scheme. Researchers found that the zero day exploit embedded in a Word document first loads a Hyper Text Markup Language (HTML) file from a remote webserver. It then uses the MSDT diagnotics tool handler, which is registered for the MS Office protocol, to execute Windows PowerShell code. This vulnerability can be exploited even when Office macros are disabled and without any interaction from the user. Currently, this exploit can bypass Microsoft Defender for Endpoint. There is no assigned CVE, and no update or patch available at this time.

Recommendations:

  1. If an organization is utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.
  2. Another option is to remove the file type association for ms-msdt (can be done in Windows Registry HKCR:\ms-msdt). When the malicious document is opened, Office will not be able to invoke ms-msdt thus preventing the malware from running.
  3. Security researchers have shared Defender for Endpoint query, Sigma/yara rules to detect the exploitation of this vulnerability. Organizations can use this to create custom based detection rules or proactively search for any incident.  

sources:

  1. https://vulndb.cyberriskanalytics.com/vulnerabilities/291399
  2. https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e https://twitter.com/nao_sec/status/1530196847679401984
  3. https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
  4. https://twitter.com/fstenv/status/1531233159412596737
  5. https://www.youtube.com/watch?v=GybD70_rZDs
Related Topics:
Click to comment

Most Popular

Copyright © 2020 Powerd By HackersVillage