With nearly $200 billion in annual sales, Microsoft is the world’s largest software and information technology (IT) vendor, its products widely used by both companies and consumers. That also makes it the biggest source of vulnerabilities targeted by hackers.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), more than a third of all actively exploited vulnerabilities so far this year have been flaws in Microsoft systems. That number reached almost 50% in February and May.
It’s a concerning situation, as these vulnerabilities affect widely used (and critical) programs such as Teams, Outlook, Office, SQL Server and Windows and Windows Server. Microsoft has made impressive strides as a security vendor, but some cybersecurity researchers say the software and cloud computing giant could do more to build security into its own products.
Last week, researchers found evidence that hackers are actively exploiting a zero-day vulnerability, dubbed “Follina,” that ultimately allows a remote code execution (RCE) in Windows with tricked Microsoft Office documents.
The malware loads itself from remote servers and bypasses Microsoft Defender, according to Nao Sec, a Japanese cybersecurity research team. Recorded as CVE-2022-30190, the vulnerability allows an attacker to “install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Microsoft published mitigation strategies on May 30. Users and administrators are strongly encouraged to disable the MSDT URL Protocol and read advisories carefully. Even the Preview pane in Windows Explorer should be disabled, as attackers can exploit an attack vector when the victims preview the infected documents.
Also read: Top Vulnerability Management Tools
Follina and the MSDT URL Protocol
The Microsoft Windows Support Diagnostic Tool (MSDT) is a hardware diagnostic tool provided by Windows to identify values or issues with hardware devices or software. According to Microsoft, all Windows versions that are still maintained (e.g., with security patches) are vulnerable to Follina.
To demonstrate the flaw, Nao Sec researchers created a document to abuse the Microsoft Word remote template feature and retrieve a malicious HTML file that subsequently used the ms-msdt Office URI scheme to execute PowerShell within the context of Word:
An attacker can thus exploit the flaw in Office to run arbitrary code “with the privileges of the calling application.” John Hammond, Cybersecurity Researcher at HuntressLabs, created a video to help people visualize the exploit.
To make matters worse, the infected documents would likely bypass EDR solutions. Indeed, there’s nothing malicious except the link to the remote HTML template that contains the payload:
Most demos end with the execution of calc.exe or notepad.exe, as it’s a classic proof of concept used during CTFs and cybersecurity awareness in general, but threat actors can do serious damage with that in real-world conditions.
See our picks for the Top EDR tools
Researcher Criticizes Microsoft’s Security Approach
Kevin Beaumont is the security researcher who named the vulnerability Follina and identified it as a zero-day publicly after Nao Sec published its POC (proof of concept), saying he was “calling it Follina because the spotted sample on the file references 0438, which is the area code of Follina in Italy.”
According to Beaumont, the vulnerability was in the wild for more than a month and Microsoft’s reaction was inadequate. Indeed, it was reported to Microsoft in March 2021 that the MSDT URL Protocol could be used, for example, with Microsoft Teams to execute code but Microsoft MSRC decided to close the ticket.
In his post, the researcher pointed out that “the attack surface of MS Protocol in Office is extremely large,” and popular software such as Outlook lets users click on any hyperlink, allowing various Windows URI schemes, which increase the chances to evade detection.
Like the unpatched Follina, those issues remain problematic and would require “another hardening pass,” but worse to Beaumont is that “Microsoft failed to issue a CVE or inform customers, but stealth patched it in Microsoft Teams in August 2021. They did not patch MSDT in Windows or the vector in Microsoft Office.”
Several blog posts were published in March 2022 highlighting the same issue. Another ticket was even opened in April 2022 involving an exploit targeting Russia with an invitation to a so-called job interview, but Microsoft MSRC closed the ticket once again.
On May 30, Microsoft allocated a CVE and published a blog post to finally classify it as a zero day the following day.
It should be noted that workarounds have been criticized too, not only by Beaumont, and other security researchers such as Hammond expect zero-click RCEs leveraging MSDT in the future.
How to Protect Against Follina
Microsoft recommends the following mitigation to protect against Follina exploits:
- Open a command prompt
- Back up the registry entry associated with the MSDT URL Protocol by using the command line “reg export HKEY_CLASSES_ROOT\ms-msdt > backup_entry”
- Remove the entry with “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
Users will be able to re-enable it with a simple “reg import backup_entry” command.
It’s important to note that the exploit has nothing to do with macros, so while disabling them can mitigate other attacks, it won’t fix the problem at all here.
CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190: Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workarounds.
Security teams can use this MS document and this Threat Hunting rule for their investigations.
More generally, this incident is an invitation to keep extra vigilance with Word documents, especially those sent by emails, as in this case, most email gateways will probably not mark it as suspicious.
Read next: Top Secure Email Gateway Solutions for 2022
