Các bài viết liên quan:
On Monday, Microsoft published guidance on a newly discovered zero-day security vulnerability in the Office productivity suite that can be exploited to execute code on affected systems.
The vulnerability, currently assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 in severity on the CVSS vulnerability scoring system. Microsoft Office 2013, Office 2016, Office 2019, and Office 2021 versions as well as Professional Plus versions are affected.
“To help protect customers, we’ve published CVE-2022-30190 and additional guidance here,” a Microsoft spokesperson told The Hacker News in an emailed statement.
The Follina vulnerability, which emerged late last week, involves a real-world exploit that takes advantage of a flaw in a weaponized Word document to execute code PowerShell arbitrary using the “ms-msdt:” URI scheme. The sample was uploaded to VirusTotal from Belarus.
But the first signs of exploiting this vulnerability date back to April 12, 2022, when a second sample was uploaded to the database. malware. This artifact is said to have targeted a user in Russia with a malicious Word document (“приглашение на интервью.doc”) masquerading as an interview invitation to Radio Sputnik.
“A remote code execution vulnerability exists when MSDT is invoked using the URL protocol from a calling application such as Word,” Microsoft said in an advisory to CVE-2022-30190.
“An attacker who successfully exploited this vulnerability could run arbitrary code with calling application privileges. An attacker can then install programs, view, change or delete data, or create new accounts in the context of the user’s permissions.”
The tech giant credited the madman, a member of the Shadow Chaser Group, for reporting the vulnerability on April 12, coinciding with the discovery of a wild exploit targeting Russian users, showing The company was aware of the vulnerability.
Indeed, according to the screenshot shared by the researcher on Twitter, Microsoft closed the report on April 21, 2022 stating “the issue has been fixed”, while dismissing the vulnerability as “nothing”. not a security issue” as it requires a confirmation code provided by tech support when starting the diagnostic tool.
Besides releasing detection rules for Microsoft Defender for Endpoints, the Redmond-based company has included workarounds in a guide to disable the MSDT URL protocol through modifying the Windows Registry.
“If the calling application is a Microsoft Office application, by default Microsoft Office opens documents from the internet in Protected View or Protected Application for Office, both of which prevent the current attack” , Microsoft said.
This is not the first time that Microsoft Office protocol schemes like “ms-msdt:” have been included in the scanner because of the potential for abuse. Earlier this January, German security company SySS revealed how it was possible to open files directly through specially designed URLs like “ms-excel: ofv | u | https:///192.168.1.10/poc[.]xls. “
.
