The Australian Cyber Security Centre (ACSC) has issued a critical alert warning for a newly-discovered Microsoft Office exploit ‘Follina’ which is already causing havoc in Australian organisations but was initially dismissed by the software giant as being a "non-security related issue".
The exploit enables a remote actor to run code on the privileges of the user that selected or opened the malicious document.
Microsoft has confirmed the remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT), which can be triggered simply by opening a malicious Word document.
The vulnerability is now tracked as CVE-2022-30190, but in April 2022, at the time of its discovery by security researchers, it was a zero-day exploit with no assigned ID.
This means that the RCE flaw was under active exploitation by threat actors before Microsoft even became aware of it.
The absence of an identifier gave rise to the moniker Follina, assigned by security researcher Kevin Beaumont, who was among the first to write about it.
Due to the public availability of several proof of concept (PoC) examples, the potential impact of exploitation, and the massive attack surface, this zero-day is considered one of the most critical vulnerabilities of the year to date.
Discovery and exploitation
While the public disclosure of CVE-2022-30190 came on May 27 by Japanese researchers of Nao Sec, members of the Shadow Chaser Group saw active exploitation first in April and reported it to Microsoft.
This collective of cyber security students hunts APT indicators of compromise for fun, education, and research contribution.
But Microsoft dismissed their report as a "non-security related issue" in April, so the tech giant inadvertently allowed the exploitation to continue for another month.
Proofpoint researchers have published evidence of a Chinese APT (advanced persistent threat) group exploting Follina by delivering ZIPs containing Word documents that trigger it.
Fixing and workarounds
At this time, there's no fix available for CVE-2022-30190, and Microsoft hasn't provided an estimate for when a fixing patch is coming.
The next "Tuesday Patch" is set to roll out on June 14, 2022, but the zero-day will most likely be addressed by an out-of-band security update.
The official workaround advice provided in the Microsoft guidance published on May 30, 2022, is to disable the MSDT URL protocol altogether.
Unfortunately, even if the users don't need this function, the change can only be applied by modifying the registry, which comes with its own risks.
ACSC has also recommended that corporate networks should block all Office applications from creating child processes.
Many experts have underlined that the industry hasn't had the time to study this flaw thoroughly, so even this "messy" workaround might not be effective against all possible attacks.
Flaw and impact
CVE-2022-30190 gives remote actors code execution abilities on several Microsoft Office versions, including fully patched Office 2013, 2016, 2019, and 2021, all widely used in state and private sectors.
The problem lies in how MDST is called from specific applications, including MS Office, using the URL protocol. This enables a remote actor to run code on the privileges of the user that selected or opened the malicious document.
The first cases of actual exploitation seen in April used the zero-day for executing PowerShell on the system, but as security researchers underline, dropping payloads on the target system is also possible.
Microsoft highlights other potential repercussions in its advisory, including data manipulation, new account creation, program installation, and information disclosure.
While technically, the flaw is triggered via a local mechanism, the vector is still practically remote, as the exploit-triggering document is sent via email, and the payload dropped is controlled by a remote actor.
During the subsequent testing from the infosec community to verify the vulnerability after its disclosure on May 27, 2022, one of the involved security firms, Huntress Lab, developed a zero-click attack through an RTF document.
Huntress Lab's attack removes the need to trick the victim into opening the document, as merely selecting it would evoke MDST from the preview tab in Explorer, triggering the exploit on all Windows versions.