New 0day Microsoft Office RCE vulnerability – MSDT Attack
Threat Level Description
Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
Description
We have observed that a new 0day remote code execution vulnerability in Microsoft Office, actively exploited in the wild, has been identified.
An attacker who successfully exploits this vulnerability, via specially crafted Office documents, can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
This remote code execution vulnerability, named Follina (CVE-2022-30190), weaponizes Microsoft Word documents to execute arbitrary PowerShell code by making use of the “ms-msdt:” URI scheme. The actual flaw exists in the way Microsoft Windows Support Diagnostic Tool (MSDT) is called using the URL protocol from a calling application, such as Microsoft Word. By manipulating a few lines of code within the “document.xml.rels” in the document core structure, attackers are able to serve their malicious payload or execute powershell commands.
The attacker could exploit the vulnerability by accessing the target system locally (e.g. keyboard, console) or remotely (e.g. SSH) or by relying on User Interaction by another person to perform actions required to exploit the vulnerability (e.g. tricking a legitimate user into opening a malicious document).
Note that unlike other exploits involving Microsoft Office documents, this attack does not rely on macros, and the malicious code is executed even if macros are disabled.
Although, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, that both prevent this attack, changing the document to an .RTF file could trigger the exploit with just the Preview Pane in Windows Explorer and will not trigger Protected View.
CVE(s)
N/A
Affected Systems
- Microsoft Office 2013
- Microsoft Office 2016
- Microsoft Office 2019
- Microsoft Office 2021
- Microsoft Professional Plus
Recommendation(s)
You should immediately proceed and implement the relevant mitigations and updates provided by the vendor.
Furthermore, you should implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general, warning employees not to open unsolicited attachments and, in this case, to not even hover over a downloaded file.
Note that relevant workaround techniques, in order to prevent this kind of attacks, have been released and can be found below.
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.
Workarounds:
Disabling MSDT URL protocol prevents “troubleshooters” being launched as links including links throughout the operating system.
Steps to disable:
• Run Command Prompt as Administrator.
• To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
• Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround:
• Run Command Prompt as Administrator.
• To back up the registry key, execute the command “reg import filename”
Known Signatures:
• Trojan:Win32/Mesdetty.A
• Trojan:Win32/Mesdetty.B
• Behavior:Win32/MesdettyLaunch.A
• Behavior:Win32/MesdettyLaunch.B
• Behavior:Win32/MesdettyLaunch.C
References
