A new Microsoft Office zero-day vulnerability has been discovered that leverages Microsoft Diagnostic Tool (MSDT) to run malicious PowerShell commands by simply opening a Word document.
The vulnerability doesn’t get detected by Microsoft Defender, doesn’t require macro code and doesn’t need elevated privileges, opening a potentially critical attack vector for threat actors to exploit. The vulnerability hasn’t received a tracking number yet and is being called ‘Follina’ by the community.
The flaw was detected by accident when security researcher nao_sec came across a malicious Word document submitted to Virus Total from an IP in Belarus.
Security researcher Kevin Beaumont further breaks down the code and explains that Microsoft Word executes a command-line string invoking MSDT, even if macro scripts are disabled.
The malicious Word document here uses the remote template feature to fetch an HTML file from a remote server. In turn, the HTML uses the MS-MSDT URI protocol scheme to load any additional code and execute malicious PowerShell code.
While the Protected View feature in Microsoft Office does warn users of a potentially malicious file, the warning can be bypassed by changing the document to a Rich Text Format file, causing it to run the exploit even without opening the document using the Preview pane in Windows explorer.
The vulnerability currently exists in Office 2013, Office 2016, a patched version of Office 2021 and a fully updated installation of Office Pro Plus 2019. In a separate analysis, researchers at cybersecurity company Huntress confirmed Beaumont’s findings that the payload could be executed from Windows Explorer’s Preview pane.
Additionally, they also discovered that the HTML executing the payload came from “xmlformats.com”, a no longer active domain. According to the researchers, an attacker can use the exploit to reach remote locations on the victim’s network, depending on the payload.
What’s worse is that Microsoft has been reportedly made aware of the vulnerability, according to screenshots shared by a member of the Shadow Chaser Group. However, the company dismissed it, stating it wasn’t a security-related issue because MSDT requires a user password to run and that the company couldn’t replicate the issue.
Microsoft quietly closed the vulnerability report on April 12, marking the issue as fixed and the impact as remote code execution.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.