Workaround Issued for Microsoft Office Zero-Day Flaw

Microsoft on Monday alerted users of an actively exploited vulnerability in Microsoft Office and has released a workaround.

The remote code execution flaw, summarized in bulletin CVE-2022-30190, deals with a URL protocol issue. Per Microsoft's workaround description:

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data or create new accounts in the context allowed by the user's rights.

The vulnerability was spotted in the wild Friday by security research team Nao_Sec, which spotted a malicious Word doc originating from Belarus. According to a tweet, the research team said that the specially crafted document uses an external link to "load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code."

The company is advising that users disable the MSDT URL protocol by following these steps:

  • Run the Command Prompt as Administrator.
  • Execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt filename," to back up the registry.
  • Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f," to block the MSDT URL protocol from accessing embedded URLs in word docs.

Further, it's recommended that Microsoft Defender Antivirus customers turn on cloud-delivered protection and automatic sample submission to protect against the latest threats. Microsoft Defender for Endpoint users can enable "BlockOfficeCreateProcessRule" to stop Office from executing child processes. Microsoft also said that the baked-in Office Protected View can be used to block the attack.

Security researcher Kevin Beaumont, who has nicknamed the flaw "Follina" because "the spotted sample on the file references 0438, which is the area code of Follina in Italy," said that Microsoft has been aware of the issue since April. After multiple tests on Beaumont's end, he believes that Microsoft might have quietly patched Office to withstand this attack.

"However, with the Insider and Current versions of Office I can’t get this to work -- which suggests Microsoft have either tried to harden something, or tried to fix this vulnerability without documenting it," wrote Beaumont. "This appears to have happened around May 2022."

Beaumont does suggest that even though Microsoft might have already taken care of the issue by hardening Office, a patch to fix the vulnerability is needed. And security vendors should make sure to keep their solutions updated to detect and block any attacks using the MSDT URL protocol flaw.

Microsoft has yet to communicate if and when a permanent fix in the form of a patch will be available.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube