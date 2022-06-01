More than a month ago, a Word file (.docx) submitted to VirusTotal from Belarus was identified as a malicious document that exploited a Microsoft Office ‘zero day’ vulnerability. As such, it circumvents anti-malware protections for now…

…but the worst thing is that is able to execute code when opening the document, even when we have disabled the use of macros (which are usually the main route of entry for malware through Office). As analyzed on Twitter by the group of cybersecurity experts Nao_sec, the document:

Makes use of Word’s ‘remote template’ feature to access an HTML file on a remote web server. This, in turn, is capable of make use of the Microsoft Diagnostics Tool (MSDT) to load and run PowerShell code.

Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt —não_sec (@nao_sec) May 27, 2022

This causes the infection of the user’s computer is immediate once we have opened the document of Word, so it grants the attacker access to our Windows system, allowing him to collect the ‘hashes’ of our passwords.

In the palabra of Kevin Beaumont, cybersecurity expert responsible for analyzing and naming the vulnerability (with the name of Follina, in honor of an Italian town):

“In my opinion, we are dealing with two different problems: Office itself, which allows loading HTML templates into Word without filtering, and the MSDT tool, which allows code execution.”

The presence of the vulnerability has been verified in various editions of Microsoft Office: Office 2013, 2016, 2019, 2021, Office ProPlus y Office 365 (including Insider and Current versions).

Here you can see a video of a test performed on a computer with the latest versions of Windows 11 and Office Pro Plus installed (instead of executing malware, the vulnerability is exploited to force Windows Calculator to run after opening a Word document):

Windows 11 (May) + Office Pro Plus (April)

+ Preview pane enabled https://t.co/ZIOADQqluo pic.twitter.com/oo0YETlrl4 — Rich Warren (@buffaloverflow) May 29, 2022

Comic Sans, the most popular (and hated) typeface

How to patch the vulnerability?

For now Microsoft has not announced the release of any patchnor is there any official solution to the vulnerability… although the company 0patch has just communicated the availability of one of their usual unofficial patches (for Windows 7, 10, 11 and Server 2018): its installation is free, and it only requires that we have a user account on its platform.

On the other hand, it has spread on networks an alternative manual solution consisting of disable troubleshooting wizards via Regeditaccessing HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics and assigning the value ‘0’ (disabled) to the variable ‘EnableDiagnostics‘. If it does not exist, you must create a variable of type REG_DWORD with said name.

Also, if you are a user of Defender for Endpoint (an advanced version of Microsoft Defender) you can save the following code in the custom detection rules of the software so that it is capable of detecting the execution of the malicious code that makes use of this vulnerability: