Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina, in the Microsoft Office productivity suite.
Microsoft has released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as
“On Monday May 30, 2022, Microsoft issued
This week, the cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.
The popular cybersecurity expert Kevin Beaumont, who named the bug Follina, published an analysis of the flaw.
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”
The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.
Microsoft has now published a “Guidance for
Microsoft recommends disabling the MSDT URL Protocol as workarounds, below are the instructions included in the guidance:
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg import filename”
Microsoft credited crazyman with Shadow Chaser Group, the tech giant labeled the flaw as “fixed” on April 21, 2022, and dismissed the vulnerability as “not a security issue” because the diagnostic tool requires a passkey for its execution.
Beginning Security with Microsoft Technologies: Protecting Office 365, Devices, and Data
DISC InfoSec
#InfoSecTools and #InfoSectraining