Microsoft Office 0-day “Follina”
Over the weekend a Zero-day vulnerability was discovered by @nao_sec which leverages the Microsoft Support Diagnostic Tool in an office document (Word, Excel, PowerPoint) to gain initial access to a machine with giving the attacker remote code execution with a single click and in some cases zero clicks. Typical guidance for protecting environments from malicious office documents is to disable macros; however, for this attack macros are not needed and disabling macros does not stop this attack vector.
The most dangerous version of this exploit will use a Rich Text Format file (.rtf) which can trigger the execution of the exploit with just the preview pane in Windows explorer.
Recommendations and Mitigations
As always, we always advise against opening office documents from unknown or untrusted sources. It is even more critical to be mindful of this now.
Current guidance for mitigating this vulnerability falls into two suggestions.
- Prevent Office from launching child processes
- Rename or Remove the registry key for the Microsoft Support Diagnostic Tool.
Helpful References
- [Huntress Labs Blog] - (https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug)
- [Microsoft Security Response Center] - (https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/)
- [Cyberdrain blog] - (https://cyberdrain.com/automating-with-powershell-enable-m365-activity-based-time-out-office-code-execution-fix/)
