A “Zero Day” vulnerability in a Windows tool that hackers exploited through infected Word documents was discovered over the weekend.
An independent cybersecurity research group called nao_sec announced in a series of tweets that it had found a security hole in a malicious Word document uploaded to Virus Total, a suspicious software analysis website. , from an IP address in Belarus.
Interesting Maldoc was sent from Belarus. It uses Word’s external link to load the HTML, then uses the “ms-msdt” scheme to execute the PowerShell code. https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
Another researcher, Kevin Beaumont, who named the vulnerability “Folina”, explains that the malicious document uses the remote template feature in Word to retrieve HTML files from a remote web server. The file then uses Microsoft’s ms-msdt MSProtocol URI scheme to load more code on the targeted system, as well as execute some Powershell commands.
Worse still, the malicious document doesn’t need to be opened to execute its payload. It will run if the document is displayed in the preview tab of Windows Explorer.
Microsoft lists 41 different product versions affected by Folina, ranging from Windows 7 to Windows 11 and from Server 2008 to Server 2022. Office, Office 2016, Office 2021, and Office 2022 are known and proven to be affected. , regardless of which version of Windows they run next.
Compare Log4Shell
“Folina seems to be trivially exploitable and very powerful, thanks to its ability to bypass Windows Defender,” said Casey Ellis, CTO and founder of Bugcrowd, which operates a community-driven bug bounty platform offers, told TechNewsWorld.
However, Folina’s malicious level was downplayed by Roger Grimes, data-driven defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla. downloaded or clicked,” he told TechNewsWorld.
“This is not that,” he continued. “Microsoft will create a patch in a few days or less, and if the user hasn’t turned off the default auto-patch feature in Microsoft Office — or if they use Office 365 — the patch is automatically applied quickly. This mining is worrisome, but it is not going to take over the world.”
Dirk Schrader, global vice president of New Net Technologies, now part of Netwrix, an IT security and compliance software provider, in Naples, Fla. compared Folina to the Log4Shell vulnerability discovered in December 2021, and it continues to plague thousands of businesses today.
He explains that Log4Shell is about an uncontrolled way of executing functionality within a function combined with the ability to call external resources. “This Day Zero, originally named Folina, works the same way,” he told TechNewsWorld.
“Windows built-in security tools may not detect this activity, and standard enhancements do not cover it,” he said. “Built-in defenses like Defender or common restrictions on the use of macros won’t block this attack either.”
He added: “The exploit appears to have been around for about a month now, with various modifications of what will be executed on the targeted system.
Microsoft’s Workaround
Microsoft officially acknowledged the vulnerability on Monday (CVE-2022-30190), as well as released alternative solutions to mitigate the vulnerability.
“The remote code execution vulnerability exists when [Microsoft Support Diagnostic Tool] called using the URL protocol from a calling application such as Word,” it explained in a company blog.
“An attacker who successfully exploited this vulnerability could run arbitrary code with calling application privileges,” it continued. “The attacker can then install programs, view, change or delete data, or create new accounts in the context allowed by the user’s permissions.”
As a workaround, Microsoft recommends disabling the URL protocol in the MSDT tool. That will prevent the troubleshooter from being launched as a link; however, you can still access the troubleshooter using the Get Help app and in system settings.
Chris Clements, vice president of solution architecture at Cerberus Sentinel, a penetration testing and cybersecurity consulting firm, in Scottsdale, Ariz, notes that the alternative shouldn’t be too much of an inconvenience to the user. user.
He told TechNewsWorld: “The support tool is still working as usual. “The only difference is that URLs that use a protocol-specific link will not automatically open in the enabler like by default.”
ADVERTISEMENT
He continued: “Think of it like clicking on an http:// link will automatically open your default browser. “The msdt:/ links are only pre-associated by default with the assist tool. Minification will remove that auto-open link.”
Support longer than Tix Times
Ray Steen, CSO of MainSpring, an IT managed services provider in Frederick, Md. agree that the alternative will have minimal impact on the user. “MSDT is not a general support or troubleshooting tool,” he told TechNewsWorld. “It is only used to share logs with Microsoft technicians during support sessions.”
“Technicians can obtain similar information by other means, including the System Diagnostic Report tool,” he said.
Additionally, he notes, “Disabling the URL protocol only prevents MSDT from launching via a link. Remote users and technicians can still open it manually.”
However, there can be a potential downside for organizations to turning off the URL protocol, noted Carmit Yadin, CEO and founder of DeviceTotal, a risk management firm in Tel Aviv, Israel. . “Organizations will see an increase in support desk request times because MSDT often helps diagnose performance issues, not just security issues,” he told TechNewsWorld.
Vulnerability will be weaponized
Harish Akali, CTO of ColorTokens, a provider of autonomous trustless cybersecurity solutions, in San Jose, Calif. asserts that Folina emphasizes the importance of trustless architecture and solutions based on that principle.
“Such an approach would only allow legitimate and approved network communications and processes on the computer,” he told TechNewsWorld. “Zero Trust software will also block horizontal movement, a key tactic that hackers use to access valuable data after they’ve accessed compromised IT assets.”
Schrader noted that in the coming weeks, attackers will likely test ways to weaponize the vulnerability. “This Zero Day in an online phishing campaign can be combined with recently discovered attack vectors and with privilege escalation techniques to advance from the context of current users,” he said. in.
“Keeping in mind the potential of this hybrid tactic, IT professionals should ensure that systems are closely monitored for breaching activity,” he advises.
“On top of that,” he continued, “the similarities with Log4shell, which came to light in December 2021, are remarkable. Likewise, this vulnerability involves using the application’s ability to invoke a remote resource using a URI scheme and no protections in place.”
“We can expect APT groups and cyber fraudsters to be particularly looking for these as they seem to provide an easy way to get in,” he added.
