The Follina Vulnerability
Attackers are able to execute malicious code on targeted devices thanks to a zero-day vulnerability in the remote Word template that exists in Microsoft Office.
The Japanese security company Nao Sec is the one who issued the alert by tweeting about the zero-day vulnerability over the weekend. According to reports, the malicious software downloads itself from distant sites and evades detection by Microsoft’s Defender anti-virus scanner.
The Follina Exploit
Kevin Beaumont, a renowned security researcher, discovered the flaw and gave it the name “Follina”. He said that the zero-day code makes a reference to the 0438 area code of Follina, which is located in Italy. According to Beaumont, the vulnerability makes use of the remote template capability in Microsoft Word and does not rely on the normal macro-based exploit vector that is common inside Office-based attacks.
A real example of the problem was reportedly discovered in a Word document template, and it leads to an internet protocol (IP) address located in the Republic of Belarus.
It is not known whether the zero-day flaw has been actively exploited by malicious parties. There are rumors, which have not been verified, that proof-of-concept code already exists and that more current versions of Microsoft Office are susceptible to attack. In the meantime, security experts have said that users may decrease the risk of being attacked by following the Microsoft Attack Surface Reduction measures rather than installing a patch.
Researchers from Nao Sec say that the malicious template loads an exploit from a remote site using a hypertext markup language (HTML) file. This is the path that leads to infection. The MSProtocol URI scheme known as “ms-msdt” is used by the HTML in order to load and run a portion of PowerShell code.
According to Beaumont’s findings, the vulnerability enables the code to execute via Microsoft Support Diagnostic Tool “even if macros are deactivated”. MSDT is a program that collects reports and information that is then sent to Microsoft Support. The information that has been obtained is then analyzed by this troubleshooting wizard and can be used to discover a solution to the issues that the user is having.
It was confirmed by Beaumont that the vulnerability is now impacting older versions of Microsoft Office 2013 and 2016, as well as the “missed execution” of malware on endpoint detection systems.
Didier Stevens, another security researcher, said that he exploited the Follina problem on a version of Office 2021 that had all of its patches installed.
Users of Microsoft who own E5 licenses have the ability to identify the vulnerability by attaching the endpoint query to Defender. In addition, Warren recommends making use of the Attack Surface Reduction (ASR) rules in order to prevent office programs from spawning child processes.
Leave a Comment