A zero-day flaw in Microsoft Office has caught the attention of cybersecurity researchers; the flaw can be exploited to execute arbitrary code in affected Windows systems.
The vulnerability was discovered when an independent cybersecurity research team, known as nao_sec, came across a Word document (“05-2022-438.doc”) uploaded to VirusTotal using a Belarusian IP address.
“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” the researchers noted in a series of tweets last week.
According to security researcher Kevin Beaumont, who dubbed the flaw “Follina,” the maldoc uses Word’s remote template feature to get an HTML from a server, which uses the “ms-msdt://” URI scheme to run the malicious payload.
The flaw has been called Follina because the malicious sample references “0438” corresponds to Follina’s area code.
MSDT, short for Microsoft Support Diagnostics Tool, is a utility that can troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.
“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,” Beaumont explained.
“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” the researcher added.
Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected but other versions can be vulnerable as well.
What’s more, Richard Warren of NCC Group managed to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.
“Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,” Beaumont said. We have reached out to Microsoft for comment, and we’ll update the story once we hear back.