Microsoft Suggests Work-Around For ‘Serious’ Follina Zero-Day
While malicious email attachments are nothing new, there’s reason to be particularly cautious when it comes to the new zero-day vulnerability, dubbed Follina, found in Microsoft Word, for which the tech giant almost immediately issued a workaround.
The reason this vulnerability is so serious is that all a user needs to do is open the document. In some cases, just previewing a document in Windows Explorer will trigger the exploit,” said Johannes Ullrich, dean of research for SANS Technology Institute and founder of the internet storm center. “This has the potential to infect many users who are not super careful.”
When a user opens a malware-infected document, Follina bypasses warnings, which puts organizations at risk. It’s not as though organizations can simply ban attachments or tell users not to open them; attachments are common and necessary to getting work done in today’s digital workplace.
“At this point, most users know about the dangers of malicious attachments, but they still need to open them to do business,” said Ullrich, adding that “employees receive at least a few attachments each week while conducting business.”
This vulnerability promises to “make an already popular exploit vector a lot easier to execute,” he said. “The damage could be significant and the impact is global.”
Attackers have exploited the flaw, using it “in targeted attacks for at least a month; at first, it was not taken seriously by Microsoft,” said Ullrich.
“Bad actors have been exploiting the Follina zero-day vulnerability found in Microsoft’s support diagnostic tool since April,” Harish Akali, CCOT at ColorTokens, said. Of additional concern, Microsoft Office 2019/2021, is “one of the most widely used software suites” and the vulnerability is found in even patched versions.
“Follina appears to be trivially exploitable, and very powerful/flexible in the security context of the logged-in user given its ability to bypass Windows Defender,” said Casey Ellis, founder and CTO at Bugcrowd. “It’s also particularly dangerous in that Microsoft macros are characteristically the focus for code execution payloads via Microsoft Office products, so user awareness training on not enabling macros doesn’t mitigate the risk.”
Once the vulnerability was made public, “numerous tools and examples” were produced “showing how easy it is to exploit this vulnerability,” Ullrich said.
Microsoft said the flaw is “a remote code execution vulnerability [that] exists when MSDT is called using the URL protocol. Successful attackers “can run arbitrary code with the privileges of the calling application,” according to work-around guidance issued in a blog post by the Microsoft Security Response Center. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Through RCE, threat actors have “the ability to use system resources for multiple purposes including deploying malware, gaining access to other network resources and enabling command-and-control on the network,” said Bud Broomhead, CEO at Viakoo. “In the short term, it is a minor inconvenience, especially given the severity of this exploit. System administrators will need to restore this functionality, but only when it is safe to do so.”
To alleviate the threat, Microsoft recommends “disabling MSDT URL protocol,” which prevents troubleshooters being launched as links including links throughout the operating system.” The company points out that “Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.”
The company also places considerable faith in Microsoft Defender Antivirus—advising that users “turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.”
Microsoft Defender for Endpoint customers “can enable attack surface reduction rule ‘Block all Office applications from creating child processes’ GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a that blocks Office apps from creating child processes,” the company wrote. “Creating malicious child processes is a common malware strategy.”
Alex Ondrick, director of security operations at BreachQuest, called Microsoft’s handling of the flaw “concerning, but not surprising: According to DoublePulsar.com, Microsoft seems to be aware that ms-msdt has a large attack surface and affects a large volume of its customers. Given the historical context of it, I suspect that Microsoft is meticulously working to get this zero-day under control.”
Microsoft products provide “an attractive attack surface, as employees are constantly working with various documents as part of their job responsibilities,” Anton Ovrutsky, adversarial collaboration engineer at LARES Consulting said. “Although Microsoft has implemented several hardening changes—including disabling macro functionality by default in the latest Office versions—this recent zero-day demonstrates not only the large attack surface found in Office but also the need to properly harden and monitor Office applications on the endpoint level from a detection and response standpoint.”
