Cybersecurity researchers are calling consideration to a zero-day flaw in Microsoft Workplace that might be abused to realize arbitrary code execution on affected Home windows techniques.
The vulnerability got here to gentle after an impartial cybersecurity analysis group referred to as nao_sec uncovered a Phrase doc (“05-2022-0438.doc”) that was uploaded to VirusTotal from an IP handle in Belarus.
“It makes use of Phrase’s exterior hyperlink to load the HTML after which makes use of the ‘ms-msdt’ scheme to execute PowerShell code,” the researchers famous in a sequence of tweets final week.
In accordance with safety researcher Kevin Beaumont, who dubbed the flaw “Follina,” the maldoc leverages Phrase’s distant template function to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload.
The shortcoming has been so named as a result of the malicious pattern references 0438, which is the world code of Follina, a municipality within the Italian metropolis of Treviso.
MSDT is brief for Microsoft Assist Diagnostics Device, a utility that is used to troubleshoot and gather diagnostic knowledge for evaluation by help professionals to resolve an issue.
“There’s quite a bit occurring right here, however the first downside is Microsoft Phrase is executing the code by way of msdt (a help instrument) even when macros are disabled,” Beaumont defined.
“Protected View does kick in, though in case you change the doc to RTF kind, it runs with out even opening the doc (by way of the preview tab in Explorer) not to mention Protected View,” the researcher added.
In a standalone evaluation, cybersecurity firm Huntress Labs detailed the assault stream, noting the HTML file (“RDF842l.html”) that triggers the exploit originated from a now-unreachable area named “xmlformats[.]com.”
“A Wealthy Textual content Format file (.RTF) might set off the invocation of this exploit with simply the Preview Pane inside Home windows Explorer,” Huntress Labs’ John Hammond stated. “Very like CVE-2021-40444, this extends the severity of this menace by not simply ‘single-click’ to take advantage of, however doubtlessly with a ‘zero-click’ set off.”
A number of Microsoft Workplace variations, together with Workplace, Workplace 2016, and Workplace 2021, are stated to be affected, though different variations are anticipated to be susceptible as nicely.
What’s extra, Richard Warren of NCC Group managed to exhibit an exploit on Workplace Skilled Professional with April 2022 patches operating on an up-to-date Home windows 11 machine with the preview pane enabled.
“Microsoft are going to wish to patch it throughout all of the totally different product choices, and safety distributors will want strong detection and blocking,” Beaumont stated. We now have reached out to Microsoft for remark, and we’ll replace the story as soon as we hear again.