A “Zero Day” vulnerability in a Windows tool that hackers have been exploiting through poisoned Word documents was discovered over the weekend.
An independent cybersecurity research team known as nao_sec announced in a series of tweets that they’d found the vulnerability in a malicious Word document uploaded to Virus Total, a website for analyzing suspicious software, from an IP address in Belarus.
Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
Another researcher, Kevin Beaumont, who dubbed the vulnerability “Folina,” explained that the pernicious document uses the remote template feature in Word to retrieve an HTML file from a remote web server. The file then uses Microsoft’s ms-msdt MSProtocol URI scheme to load more code on a targeted system, as well as execute some Powershell commands.
Making matters worse, the malicious document doesn’t have to be opened to execute its payload. It will run if the document is displayed in the preview tab of Windows Explorer.
Microsoft lists 41 different product versions affected by Folina, from Windows 7 to Windows 11, and from Server 2008 to Server 2022. Known and proven as affected are Office, Office 2016, Office 2021 and Office 2022, regardless of the version of Windows they are running on.
Log4Shell Comparison
“Folina appears to be trivially exploitable and very powerful, given its ability to bypass Windows Defender,” Casey Ellis, CTO and founder of Bugcrowd, which operates a crowdsourced bug bounty platform, told TechNewsWorld.
Folina’s virulence, however, was downplayed by Roger Grimes, data-driven defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla. “The worst type of Zero Day is one that launches against a user’s unprotected listening service or executes immediately when downloaded or clicked on,” he told TechNewsWorld.
“This isn’t that,” he continued. “Microsoft will have a patch created in a few days or less and if users haven’t disabled the default auto-patching in Microsoft Office — or if they use Office 365 — the patch will be automatically applied quickly. This exploit is something to be concerned about, but it’s not going to take over the world.”
Dirk Schrader, global vice president of New Net Technologies, now part of Netwrix, a provider of IT security and compliance software, in Naples, Fla. compared Folina to the Log4Shell vulnerability discovered in December 2021 and which continues to plague thousands of businesses today.
Log4Shell was about an uncontrolled way of executing a function in a function combined with the ability to call for external resources, he explained. “This Zero Day, initially named Folina, works in a similar way,” he told TechNewsWorld.
“Windows built-in security tools are likely not to catch this activity and standard hardening benchmarks don’t cover it,” he said. “Built-in defensive mechanism like Defender or common restrictions for the use of macros will not block this attack, as well.”
“The exploit seems to be out in the wild for about a month now, with various modifications as to what should be executed on the targeted system,” he added.
Microsoft Workaround
Microsoft officially recognized the vulnerability on Monday (CVE-2022-30190), as well as issuing workarounds to mitigate the flaw.
“A remote code execution vulnerability exists when [Microsoft Support Diagnostic Tool] is called using the URL protocol from a calling application such as Word,” it explained in a company blog.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” it continued. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
As a workaround, Microsoft recommended disabling the URL protocol in the MSDT tool. That will prevent troubleshooters from being launched as links; however, troubleshooters can still be accessed using the Get Help application and in system settings.
The workaround shouldn’t be too much of an inconvenience to users, noted Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company, in Scottsdale, Ariz.
“The support tool still functions as normal,” he told TechNewsWorld. “The only difference is that URLs that use the protocol-specific link won’t automatically open in the support tool like they would by default.”
“Think of it as how clicking an http:// link automatically opens your default browser,” he continued. “The msdt:/ links are just pre-associated by default with the support tool. The mitigation removes that auto-open-with association.”
Longer Support Tix Times
Ray Steen, CSO with MainSpring, an IT managed services provider in Frederick, Md. agreed that the workaround would have a minimal impact on users. “MSDT is not a general troubleshooter or support tool,” he told TechNewsWorld. “It is only used to share logs with Microsoft technicians during support sessions.”
“Technicians can obtain the same information by other means, including the System Diagnostics Report tool,” he said.
In addition, he noted, “Disabling the URL protocol only prevents MSDT from being launched through a link. Users and remote technicians will still be able to open it manually.”
There may be one potential drawback for organizations shutting off the URL protocol, however, noted Carmit Yadin, CEO and founder of DeviceTotal, a risk management company in Tel Aviv, Israel. “Organizations will see an increase in support desk ticket times because the MSDT traditionally helps diagnose performance issues, not just security incidents,” he told TechNewsWorld.
Vulnerability Will Be Weaponized
Harish Akali, CTO of ColorTokens, a provider of autonomous zero trust cybersecurity solutions, in San Jose, Calif. maintained that Folina underlines the importance of zero trust architecture and solutions based on that principle.
“Such an approach would only allow legitimate and approved network communication and processes on a computer,” he told TechNewsWorld. “Zero trust software would also block lateral movement, a key tactic the hackers use to access valuable data once they access a compromised IT asset.”
Schrader noted that in the coming weeks, attackers will likely check for ways to weaponize the vulnerability. “This Zero Day in a spear-phishing campaign could be combined with recently discovered attack vectors and with privilege escalation techniques to elevate from the current user’s context,” he said.
“Keeping in mind the possibility of this combined tactic, IT pros should make sure that systems are closely monitored to detect breach activity,” he advised.
“On top of that,” he continued, “the similarities with Log4shell, which made headlines in December 2021, are striking. Same as it, this vulnerability is about using an application’s ability to remotely call for a resource using the URI scheme, and not having safeguards in place.”
“We can expect APT groups and cyber crooks to specifically look for more of these as they seem to offer an easy way in,” he added.