Microsoft Office Zero-Day Allows Remote Code Execution, Privileged Access; Security Community Implements Workarounds

by | Jun 3, 2022

A serious new zero-day vulnerability in Microsoft Office (called “Follina”) can be executed by simply highlighting a file in Windows Explorer, and gives attackers the level of access the compromised user has (including remote code execution).

Microsoft has yet to patch the issue, but has recommended that users disable the Microsoft Support Diagnostic Tool (MSDT) as a workaround to disable the remote code execution aspect. An unofficial patch from a third-party source is also available that has its own tradeoffs in terms of reducing functionality to fix the problem.

Chinese hacking groups make use of office remote code execution vulnerability, also spotted in Russia and Belarus

Microsoft appears to have at least been aware of the possibility of this zero-day since 2021, but it took a string of attacks appearing in the wild in April of this year to prompt action on it. Remote code execution using this MSDT exploit has been spotted in Russia and Belarus, and a Chinese advanced persistent threat (APT) group associated with that country’s government is believed to have attempted to use it against Tibetan dissidents.

Security researchers have confirmed that the zero-day can be exploited in a variety of different versions of Office: 2013, 2016, 2019, 2021, Office 365 and ProPlus (with testing of other versions pending). Since the vulnerability involves a core component of Windows itself, it is best to assume that all versions of Office can be exploited in this way for the moment.

Exploiting macros in Office products has long been a popular avenue of attack among hackers, usually only requiring the victim to open a PDF or similar document file to facilitate the compromise of their system. This present zero-day appears to be able to achieve remote code execution if a target with Office installed merely highlights a tainted RTF (Rich Text Format) file in Explorer without actually opening it.

The bad news is that Microsoft does not have a patch available for the issue, but has disclosed the issue to the public with a workaround: disabling the MSDT URL Protocol by editing its registry key. An unofficial patch has been made available from the 0patch micropatching service, but it requires limiting functionality of the various Windows “wizards” that pop up to assist with various tasks. It is also not available for all versions of Windows, though most of the modern versions (from 7 to 11) are supported at this point.

Office zero-day first demonstrated in 2020

The possibility of abusing MSDT and Windows wizards for remote code execution appears to have been first outlined in a publicly-available university thesis from August 2020, and Microsoft appears to have actually addressed this possibility in Teams in 2021 (though not in Windows itself or any other products such as Office).

Remote attacks using the zero-day were first spotted this April, with Microsoft dismissing the initial reports. It took until late May before the company acknowledged the Office issue as a serious vulnerability.

Victims will be sent a malicious document that needs to be opened in Office to initiate the attack, unless it is a specially crafted RTF file that can launch from the Windows Explorer preview when it is selected. This allows the attacker to initiate a PowerShell session that gives them the privileges that the current user has, to include installing programs and editing files.

Security experts describe the technical skill needed to exploit the zero-day as “trivial” and caution that employee security training on malicious macros will not help in counteracting this attack.

Recent Posts

How can we help?

3 + 8 =