Microsoft 'Follina' Zero-Day Vulnerability

UPDATE 6/14/2022

Microsoft has released a patch for this vulnerability as part of their June 2022 Patch Tuesday release. The patch is available via Windows Update or by visiting https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190.

 

A critical, zero-day vulnerability, termed Follina, has been discovered in the Microsoft Diagnostic Tool (MSDT) and being leveraged to perform remote-code execution (RCE) through any Microsoft Office product. RCE vulnerabilities can allow for external threat actors to launch and execute arbitrary remote commands on a system with little to no intervention necessary by the end-user. This can lead to remote backdoors, ransomware, data exfiltration, and other significant cybersecurity events. This vulnerability affects all versions of Microsoft Office 2013 and later running on Windows, and also is believed to extend to Microsoft O365 apps. If you are running Microsoft Office on macOS, you are not believed to be affected at this time.

Follina exploitation has been most commonly associated with malicious Word documents up to this point, but can also include other Microsoft Office file types. Using Microsoft Word to open any supported document file type, even beyond the traditional .doc and .docx file types (e.g., .rtf) can also trigger the hidden payload. This vulnerability can still be potentially exploited even if your Microsoft Office applications have macros disabled, and/or you are in “Protected View” mode.

As of this writing, an official patch from Microsoft has not yet been released. Microsoft has issued mitigation guidance for those who wish to perform a temporary workaround to disable the vulnerable portion of MSDT:

How to Disable MSDT URL Protocol: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Local security countermeasures exist in the Trellix/FireEye ecosystem and continue to be updated as new threat intelligence and behavioral tactics related to Follina are gathered by the community:

  • FireEye Endpoint Security (FES) indicator signatures for Follina have been pushed to all active agents. Known and potentially unknown variations of malware/exploit code that could be executed by a remote attacker would also be thwarted if the agent is in prevention mode.
  • FireEye Network Security (NX) appliances have received detection rules for known infrastructure/payloads associated with Follina.
  • FireEye Email Security (EX) continue to scan and block malicious attachments/messages, including Follina.

That said, the rapid evolution and ease of exploit with this vulnerability make for an attractive candidate among threat actors, and it is expected that exploit methods will continue to evolve. Information Security urges vigilance when previewing or opening any email Microsoft Office attachments, especially those from an unrecognized sender. If you have any questions or concerns regarding this vulnerability, please contact us at security@ucla.edu. Thank you!

Additional Information:

https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/

https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug