Microsoft Office has a security flaw that might allow for remote code execution attacks, according to researchers. The vulnerability gained notoriety as a zero-day after researchers discovered it was being exploited against Microsoft Office programmes.
Microsoft Office Zero-Day
A significant Microsoft Office vulnerability was recently revealed by a security researcher with the nickname crazymanarmy from the Shadow Chaser Group. An attacker can launch a remote code execution attack by exploiting the vulnerability through maliciously generated Office files like Word documents.
An independent cybersecurity research team known as “nao sec” identified this Microsoft Office vulnerability as a zero-day after its exposure. Threat actors had already exploited the weakness, according to a malicious Word file sent from Belarus to VirusTotal.
Moreover, a number of additional researchers looked into the flaw in order to provide the exploit details. Kevin Beaumont, dubbed “Follina,” released a detailed write-up on how a malicious Word document in the wild evaded detection by Microsoft Defender for Endpoints.
Beaumont also pointed out that the attack had been active in the wild since April, including a slew of Russian threat actors. Similarly, researcher Will Dormann elaborated on the attack in a detailed post on Twitter.
Despite the fact that Microsoft was aware of the vulnerability earlier, according to Beaumont, the tech giant did not consider it a problem. Nonetheless, the Redmond behemoth has now publicly acknowledged the flaw.
Describing the vulnerability in an explanatory blog post, Microsoft stated,
When MSDT is called using the URL protocol from a calling programme like Word, a remote code execution vulnerability occurs. An attacker who successfully exploits this flaw can execute arbitrary code with the calling application’s privileges. In the context allowed by the user’s permissions, the attacker can then install applications, read, alter, or remove data, and create new accounts.
The identification number for this issue is CVE-2022-30190. It was classified as a high-severity vulnerability by Microsoft, with a CVSS score of 7.8. There is currently no permanent solution to the issue. However, to avoid vulnerabilities, the tech giant has published a fix that includes disabling the MSDT URL Protocol.
Dormann also recommends that users disable the “Preview” tab in Windows Explorer because it contributes to the vulnerability.
In a short film, he illustrated such an attack.
It’s very similar to the MSHTML CVE-2021-40444 vul from September:
1) Use of ‘!’ at the end of the retrieved URI
2) Size of retrieved HTML must be 4096 bytes or larger
The important difference is that this variant still works.
Let’s look at the preview pane attack vector, like we did for CVE-2021-40444 since that one is more fun. Protected View be damned!
Here is Office 2019 on Win10, both with May 2022 updates. https://twitter.com/i/status/1531256385031352321
Besides, Microsoft confirms strengthening its Defender Antivirus to detect and prevent the threat with the following signatures.
- Trojan: Win32/Mesdetty.A (blocks msdt command line)
- Trojan: Win32/Mesdetty.B (blocks msdt command line)
- Behavior: Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
- Trojan: Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
- Trojan: Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)