Zero-Day ‘Follina’ Bug Lays Microsoft Office Open to Attack

Malware loads itself from remote servers and bypasses Microsoft’s Defender AV scanner, according to reports.

UPDATE

A zero-day vulnerability in Microsoft Office allows adversaries to run malicious code on targeted systems via a flaw a remote Word template feature.

The warning comes from Japanese security vendor Nao Sec, which tweeted a warning about the zero day over the weekend.

Noted security researcher Kevin Beaumont dubbed the vulnerability “Follina”, explaining the zero day code references the Italy-based area code of Follina – 0438.
Infosec Insiders Newsletter
Beaumont said the flaw is abusing the remote template feature in Microsoft Word and is not dependent on a typical macro-based exploit path, common within Office-based attacks. According to Nao Sec, a live sample of the bug was found in a Word document template and  links to an internet protocol (IP) address in the Republic of Belarus.

It’s unclear if the zero-day bug has been actively leveraged by adversaries. A proof-of-concept code exists, which demonstrate that versions of Office ranging from 2003 to the current build are vulnerable to attack. Meanwhile, security researchers say  users can follow Microsoft Attack Surface Reduction measures to mitigate risk, in lieu of a patch.

Working of Follina 

Nao Sec researchers explain the path to infection includes the malicious template loading an exploit via a hypertext markup language (HTML) file from a remote server.

The loaded HTML uses the “ms-msdt” MSProtocol URI scheme to load and execute a snippet of PowerShell code.

“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” as reported by Nao Sec.

The MSDT stands for the Microsoft Support Diagnostic Tool and collects information and reports to Microsoft Support. This troubleshooting wizard will analyze the gathered info and attempt to find a resolution to hiccups experienced by the user.

Beaumont found that the flaw allows the code to run via MSDT, “even if macros are disabled”.

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” further explained by Beaumont.

Beaumont confirmed that the exploit is currently affecting the older versions of Microsoft Office 2013 and 2016 and the endpoint detection “missed execution” of malware. Additional research revealed the vulnerability impacts even the most recent version of Microsoft Office.

Another security researcher Didier Stevens said he exploited the Follina bug on a fully patched version of Office 2021, and John Hammond a cybersecurity researcher tweeted the working proof of Follina.

Microsoft users with E5 licenses can detect the exploit by appending the endpoint query to Defender. Additionally, Warren suggests using the Attack Surface Reduction (ASR) rules to block the office applications from creating child processes.

(EDITOR’S NOTE: This story was updated 5/31 at 7:50 a.m. to reflect that more recent versions of Office are impacted by this bug) 

 

Suggested articles