Zero-Day ‘Follina’ Bug Means Older Microsoft Office Versions Now Open to Attack!

Zero-Day ‘Follina’ Bug Means Older Microsoft Office Versions Now Open to Attack!

Malware loads itself from remote servers & bypasses Microsoft’s Defender AV scanner, according to reports.

A zero-day vulnerability in Microsoft Office allows adversaries to run malicious code on targeted systems via an issue in a remote Word template feature.

Nao Sec

The warning comes from Japanese security vendor Nao Sec, which tweeted a warning about the zero day over the weekend.

Noted security researcher Kevin Beaumont dubbed the vulnerability “Follina,” explaining the zero-day code references the Italy-based area code of Follina – 0438.

Beaumont stated the defect is abusing the remote template feature in Microsoft Word & is not dependent on a typical macro-based exploit path, common within Office-based attacks.

Republic of Belarus

According to Nao Sec, a live sample of the bug was found in a Word document template & links to an internet protocol (IP) address in the Republic of Belarus.

It is unclear if adversaries have actively used the zero-day bug. There are unconfirmed reports that proof-of-concept code exists, & more recent versions of Office are vulnerable to attack. Security researchers say users can follow Microsoft Attack Surface Reduction measures to mitigate risk, instead of a patch.

Working of Follina 

Nao Sec researchers explain the path to infection includes the malicious template loading an exploit via a hypertext markup language (HTML) file from a remote server.

The loaded HTML uses the “ms-msdt” MSProtocol URI scheme to load & execute some PowerShell code.

“It uses Word’s external link to load the HTML  then uses the ‘ms-msdt’ scheme to execute PowerShell code,” as reported by Nao Sec.

Diagnostic Tool

The MSDT stands for the Microsoft Support Diagnostic Tool & collects information & reports to Microsoft Support. This troubleshooting wizard will analyse the gathered info & attempt to find a resolution to issues experienced by the user.

Beaumont found that the flaw allows the code to run via MSDT, “even if macros are disabled.”

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” further explained by Beaumont.

Microsoft Office 2013 & 2016

Beaumont confirmed that the exploit is currently affecting the Older versions of Microsoft Office 2013 & 2016 & the endpoint detection “missed execution” of malware.

Another security researcher Didier Stevens explained that he exploited the Follina bug on a fully patched version of Office 2021, & John Hammond a cyber-security researcher tweeted the working proof of Follina.

Microsoft users with E5 licenses can detect the exploit by appending the endpoint query to Defender. Additionally, Warren suggests using the Attack Surface Reduction (ASR) rules to block the office applications from creating child processes.

 

SHARE ARTICLE