From Staff Writer.
Cyber-attackers exploit a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that potentially allows an attacker to install programs, view or change data, or create new accounts according to the victim’s user privileges.
Microsoft unveiled a vulnerability called “Follina” earlier this week. No fix is available at the time of publication. The name comes from the zero-day code referring to the Follina area code in Italy.
“RCE appears to have been in use as early as April and recently came to widespread public attention after a researcher began researching a malicious sample on VirusTotal,” said Claire Tills, Tenable’s chief cyber security research engineer.
Ms. Ellis says researchers recently began to reproduce the problem and found that it was a click-through abuse, meaning no user interaction was required. Ms Ellis notes that due to the similarities between CVE-2022-30190 and CVE-2021-40444, researchers speculate that other protocol developers may be vulnerable, with further developments and recovery attempts expected.
The infection involves loading a malicious template via a hyperlink. Versions of MS Office from 2003 to the present are at risk. Researchers from the Japanese cyber security consulting company Nao Sec claim that hypertext tagging uses the MSProtocol URI “ms-msdt” to run part of the PowerShell code. One researcher successfully launched a Follina MSDT exploit on a fully patched Office 2021 software.
An attacker who successfully exploited this vulnerability could run arbitrary code with the privileges of the calling application. An attacker could then install programs, view, change, or delete data, or create new accounts in a context permitted by user rights, “says Microsoft.
The vulnerability is slightly unusual in that it does not depend on the macro-based abuse path that most Microsoft Office-based attacks follow. The Australian Cyber Security Center warns that cyber-attackers are already exploiting Follin’s vulnerability to target Australian organizations.
Nao Sec also adds that they uncovered a live sample of an error they found in a Word document template with links to an Internet protocol address in Belarus. Infected code can run through MSDT even if macros are disabled.
“I have successfully integrated the CVE-2022-30190 ms-msdt vulnerability into MacroPack Pro. Finished Docx format, including trojaning of an existing document. Now I’m watching the broadcast in xlsx format, “said one person on Twitter Nao Sec on Wednesday.
Claire Ellis says Microsoft Office documents are a popular vector of attack for cyber-attackers. Microsoft suggests that disabling the MSDT URL will prevent troubleshooters from running as links, including links throughout the operating system.
Microsoft also adds that customers with Microsoft Defender Antivirus should turn on cloud protection and automatic sample submission.
“These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats,” says the software company.
Claire Ellis says Follin’s vulnerability is an early warning of the dangers of opening attachments, and notes that people must be careful all the time.
“Because zero-click abuse is possible, individual users can’t do much about it, but a healthy dose of skepticism is a long way to go. Users should always be suspicious of attachments from untrusted sources. “
#Office #applications #vulnerable #Follin #vulnerabilities #Australian #magazine #cyber #security