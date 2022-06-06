The Follina Vulnerabilitywhich we told you about yesterday and which affects all versions of Word from Office 2013 onwards, It is much more serious than previously thought.. And it is that, although it has begun to generate headlines only during this last week, the truth is that It has been exploited by cybercriminals at least since last April 12 (as reported by Hacker News), when its use in cyberattacks from Russia was detected.

However, the most shocking thing is that that same day Microsoft received the information about the existence of said vulnerability… and decided to do nothing as it was not considered a security problemclaiming that the MSDT utility required a key provided by a support technician before it could execute arbitrary PowerShell code from Word.





The truth is that vulnerability is based on a flaw in the URI scheme of the protocol “ms-msdt:”and that the malware that takes advantage of it (and has been spreading for a month and a half) “is designed to evade security products and fly under the radar” of anti-malware systems, according to Malwarebytes’ Jeroe Segura.

Worse still: we now know that we don’t even need to get to open the Word file for malicious code to run: If someone renames the document with the .RTF (Rich Text Format) file extension, Protected View’s safeguards for potentially dangerous files will not be activated, so we can infect us merely by previewing the document in Windows Explorer.

Microsoft, which has come to recognize the problem at hand, does not offer any official patch yet (although we remind you that 0patch has released an unofficial one): for now, its recommendation is to disable the Windows Explorer preview panel, as well as the MSDT protocol.



The best advice that Microsoft has for us is to uncheck that option.

Until Microsoft makes it impossible to launch URI handlers in MS Office without the explicit permission of the user, this kind of news will continue to multiply.

‘Sgroogled.com’: when MICROSOFT launched ANTI-GOOGLE ads

A new vulnerability that combines with Follina to increase its dangerousness

To round off the disaster, another similar vulnerability has come to light that in this case it affects another internal Windows protocol, search-msnormally used to perform local searches on the computer, but can also be used to do the same with shared files on a remote host.

Cybercriminals have found a method to bypass the security warning that should be displayed by default, so it is very easy for them to trick a potential victim into clicking on a URI of search-ms.

Thus, by combining Follina with the new vulnerability, a cybersecurity expert has managed to show that it is possible to use a malicious Word file to open a remote search window on the victim’s computer. If the remote share is given a misleading name, it is possible convince the user that these are important software updates to download and install:

Here’s how exploitation looks to the user when opening 😉 pic.twitter.com/4wlvbPJ2oZ — hackerfantastic.crypto (@hackerfantastic) June 1, 2022

Again, in this case we can only resort to temporary and unofficial solutions: