I’ve been delaying writing about this until I could get some more information about this zero day exploit, and mitigation strategies for it. Let’s start with the exploit.
Researchers warned last weekend that a flaw in Microsoft’s Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Here’s some details:
On May 27, a researcher who uses the online moniker “nao_sec” reported on Twitter that they had found an interesting malicious document on the VirusTotal malware scanning service. The malicious Word file, uploaded from Belarus, is designed to execute arbitrary PowerShell code when opened.
The malware was later analyzed by several others, including researcher Kevin Beaumont, who published a blog post detailing his findings on Sunday.
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” Beaumont explained, adding, “That should not be possible.”
The researcher noted that the code is executed even if macros are disabled — malicious Word documents are typically used for code execution via macros. Microsoft Defender currently does not appear to be capable of preventing execution.
“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” Beaumont said.
The researcher decided to name the zero day vulnerability “Follina” because the malicious file references 0438, which is the area code of Follina, a village in Italy.
This is now being tracked as CVE-2022-30190. Currently there is no fix for it that Microsoft has issued. But they offer guidance for mitigation. That all sounds good, but here’s the bad news. This appears to be actively being exploited by threat actors and Microsoft may have been asleep at the switch:
The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild, researchers from Shadow Chaser Group said on Twitter. A response dated April 21, however, informed the researchers that the Microsoft Security Response Center team didn’t consider the reported behavior a security vulnerability because, supposedly, the MSDT diagnostic tool required a password before it would execute payloads.
On Monday, Microsoft reversed course, identifying the behavior with the vulnerability tracker CVE-2022-30190 and warning for the first time that the reported behavior constituted a critical vulnerability after all.
That’s bad on Microsoft’s part. Really bad.
My advice is that you should follow Microsoft’s guidance for this to mitigate the issue until a fix appears. Because if there is no fix, and it’s actively being exploited by threat actors, it’s only a matter of time before there is widespread pwnage.
Like this:
Like Loading...
Related
This entry was posted on June 4, 2022 at 1:12 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Everyone Needs To Pay Attention To This Microsoft Zero Day Exploit That Is Making The Rounds
I’ve been delaying writing about this until I could get some more information about this zero day exploit, and mitigation strategies for it. Let’s start with the exploit.
Researchers warned last weekend that a flaw in Microsoft’s Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Here’s some details:
On May 27, a researcher who uses the online moniker “nao_sec” reported on Twitter that they had found an interesting malicious document on the VirusTotal malware scanning service. The malicious Word file, uploaded from Belarus, is designed to execute arbitrary PowerShell code when opened.
The malware was later analyzed by several others, including researcher Kevin Beaumont, who published a blog post detailing his findings on Sunday.
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” Beaumont explained, adding, “That should not be possible.”
The researcher noted that the code is executed even if macros are disabled — malicious Word documents are typically used for code execution via macros. Microsoft Defender currently does not appear to be capable of preventing execution.
“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” Beaumont said.
The researcher decided to name the zero day vulnerability “Follina” because the malicious file references 0438, which is the area code of Follina, a village in Italy.
This is now being tracked as CVE-2022-30190. Currently there is no fix for it that Microsoft has issued. But they offer guidance for mitigation. That all sounds good, but here’s the bad news. This appears to be actively being exploited by threat actors and Microsoft may have been asleep at the switch:
The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild, researchers from Shadow Chaser Group said on Twitter. A response dated April 21, however, informed the researchers that the Microsoft Security Response Center team didn’t consider the reported behavior a security vulnerability because, supposedly, the MSDT diagnostic tool required a password before it would execute payloads.
On Monday, Microsoft reversed course, identifying the behavior with the vulnerability tracker CVE-2022-30190 and warning for the first time that the reported behavior constituted a critical vulnerability after all.
That’s bad on Microsoft’s part. Really bad.
My advice is that you should follow Microsoft’s guidance for this to mitigate the issue until a fix appears. Because if there is no fix, and it’s actively being exploited by threat actors, it’s only a matter of time before there is widespread pwnage.
Share this:
Like this:
Related
This entry was posted on June 4, 2022 at 1:12 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.