Nao_Sec cybersecurity researchers state the “odd-looking” MS Word document was uploaded on VirusTotal from a Belarus IP address.
Independent cybersecurity research group Nao_Sec has revealed startling details of a new zero-day vulnerability identified in Microsoft Office. Dubbed Follina; researchers claim this flaw can be exploited in the wild, researchers noted.
According to researchers, the flaw is named so because of the reference 0438 in the malicious sample, the area code of a municipality in Treviso, Italy, called Follina.
How Was the Flaw Discovered?
On May 27th, a Nao_Sec researcher posted on Twitter about discovering an odd-looking Word file titled 05-2022-0438.doc uploaded to VirusTotal from a Belarus-based IP address. The team, including researcher Kevin Beaumont, then started examining the malware.
Details of the Vulnerability
Further probe revealed that the zero-day could be abused to accomplish arbitrary code execution on vulnerable devices running Windows OS. On their Twitter handle, Nao_Sec researchers explained in the blog post the attackers used MS Word’s external link for loading the HTML and later used the ‘ms-msdt’ scheme for executing PowerShell code.
“The document uses the Word remote template feature to retrieve a HTML file from a remote web server, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShelll…That should not be possible.”Beaumont
Microsoft Support Diagnostics Tool or MSDT is a utility used to collect and troubleshoot diagnostic data for support experts to analyze and fix the issue. Typically, MS Word documents are used for executing code through malicious macros. However, in this case, the Nao_Sec research team learned that the code gets executed even when macros are disabled.
Moreover, Microsoft Defender also cannot prevent the execution for now, and Beaumont reported that the protected view isn’t activated even when they changed the file to RTF form and runs even without opening the file.
Other researchers, including Didier Stevens and NCC Group’s Rich Warren, apart from Kevin Beaumont, also confirmed that this zero-day flaw could be exploited remotely to execute arbitrary code on various versions of MS Office and MS Windows.
Beaumont tested the flaw against numerous Office versions such as Office Pro Plus, Office 2013, Office 2016, and Office 2021 and found that it didn’t work against the latest Office and Insider versions. This indicates Microsoft is working on a patch.
More Microsoft and Windows Security News
- Hackers are using Microsoft Teams chat to spread malware
- MS Word’ Malicious Macro Downloads Vawtrak Banking Trojan
- DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy
- Malicious Office documents make up 43% of all malware downloads
- Google, Microsoft, and Oracle generated the most vulnerabilities in 2021