New Microsoft Office Zero-Day used In Attacks to Execute PowerShell

Background

Security researchers have discovered a new Microsoft Office zero-day vulnerability that is being used in attacks to execute malicious PowerShell commands via Microsoft Diagnostic Tool (MSDT) by opening a Microsoft Office Word document. The vulnerability, which has yet to receive a tracking number and is referred to by the infosec community as 'Follina,' is leveraged using malicious Word documents that execute PowerShell commands via the MSDT.

This new Follina zero-day opens the door to a new critical attack vector leveraging Microsoft Office programs as it works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.

A researcher nao_sec’ hunt for files on Virustotal that exploited CVE-2021-40444 found a file that abuses the ms-msdt scheme. It uses Word's external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.

Impact

A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

Systems / Technologies affected

  • Windows 7 for 32-bit and x64-based Systems Service Pack 1
  • Windows RT 8.1
  • Windows 8.1 for 32-bit and x64-based systems
  • Windows 10 Version 1607 for 32-bit and x64-based Systems
  • Windows 10 for 32-bit and x64-based systems
  • Windows 10 Version 21H2 for 32-bit and x64-based systems
  • Windows 10 Version 21H2 for ARM64-based Systems
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows 10 Version 20H2 for 32-bit and x64-based Systems
  • Windows 10 Version 21H1 for ARM64-based Systems
  • Windows 10 Version 21H1 for 32-bit and x64-based Systems
  • Windows 10 Version 1809 for 32-bit and x64-based systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2022 Azure Edition Core Hotpatch
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022

Recommendation

CSA urges users and administrators to review Microsoft's Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.

References