On May 30, 2022, cybersecurity expert John Hammond released a video exploiting a vulnerability through Windows’ Preview feature for Word files that could trigger malicious code to be attached. Currently, although there is no CVE, how to do it has been publicly announced.
It can be said that this is a zero-day vulnerability in Microsoft Office because there is currently no patch, hackers are actively exploiting in Word documents with malicious code attached to remotely execute code on the victim’s PC.
The vulnerability, named “Follina”, is used to exploit the way Office products work with MSDT (Microsoft Error Diagnostic Tool), which can be exploited even with macros disabled. in Microsoft Office.
According to some information, the vulnerability was initially reported to Microsoft’s security team on April 12, 2022, after Word files impersonating the Russian news agency Sputnik were distributed to users.
Nine days later, Microsoft decided that the vulnerability was not security related and therefore did not resolve. Unfortunately, that seems to be a wrong decision by Microsoft’s security team. Security researcher Kevin Beaumont reports this vulnerability works on the latest versions of Microsoft Office, even when updated to the latest version.
The “Follina” vulnerability came to light after an independent cybersecurity research group named what_sec detects a Word document (“05-2022-0438.doc“) uploaded to VirusTotal from an IP address in Belarus.
“This vulnerability uses Word’s external link to load HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.” Word files with malicious code attached remote template of Word to fetch the HTML File from the server, then use the Schema URI “ms-msdt://” to download the malicious code and execute it on the victim’s computer.
The name is so named because the malicious sample references 0438, which is the area code for Follina, a municipality in the Italian city of Treviso.
You can watch the PoC video below:
MS-MSDT “Follina” Office click-to-hack. pic.twitter.com/v0DOkQhZjq
— John Hammond (@_JohnHammond) May 30, 2022
Now author John Hammond has published the file PoC on Github, those who want to study can download the test. I do not recommend using this method to send Word files with malicious code attached to others, so it will be against the law.
How to prevent the Follina vulnerability
Currently Office 2013, 2016, 2019, 2021 and Microsoft 365 versions on both Windows 10 and Windows 11 are affected by this vulnerability and Microsoft has not yet patched it. The temporary fix is to turn off Preview mode in Windows Explorer by Open Windows Explorer -> View -> turn off the Preview Pane place
– Download files unregister-msdt.reg then open the file to set and apply in Regedit. If the User Account Control window appears, select Yes.
– When receiving Word files from others or downloading from the Internet, check with Virustotal See if there is malicious code attached?
– If you receive a Word, Excel or PPT file, please upload it to Google Docs, Sheets or Slides to view Online instead of using Microsoft Office software.