Researchers discover zero-day Microsoft vulnerability in Office

Malicious actors are using a previously undisclosed zero-day, zero-click vulnerability in Microsoft Office to execute PowerShell commands without user interaction, according to security researchers.

The vulnerability – discovered by security researcher nao_sec on 27 May and later dubbed CVE-2022-30190 by Microsoft – leverages the Microsoft Diagnostic Tool (MSDT), which is used to execute the PowerShell code after calling a HTML file from a remote URL.

“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” said nao_sec.

In a blog published May 30, Microsoft added: “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change or delete data, or create new accounts in the context allowed by the user’s rights.”

Also known within the infosec community as “Follina”, the exploit enables attackers to execute the code via MSDT even if macros are disabled, and has been successfully reproduced by other security researchers, including Kevin Beaumont and experts at Huntress.

“This is an enticing attack for adversaries as it is tucked inside of a Microsoft Word document without macros to trigger familiar warning signs to users, but with the ability to run remotely hosted code,” said John Hammond, a senior security researcher at Huntress, in a blog.

“To better understand this threat, Huntress security researchers modified the internals of the Word document to call out to a local address within an analysis sandbox, and served a benign payload that would display a message rather than detonating malware.”

Hammond added that, after testing, it became clear the payload would not execute without “a significant number of padding characters”, which were present in the HTML file.

While it was initially unclear to researchers why this was necessary, Huntress was able to confirm that any files with fewer than 4096 bytes would not invoke the payload after being sent a blog indicating there was a hardcoded buffer size for an HTML processing function.

Beaumont also discovered that if the Word document is changed to a Rich Text File (RTF) format, then the exploit can be triggered without any interaction from the user, extending the severity of the exploit from single- to zero-click.

“This attack technique runs code under the user account that opened or navigated towards the malicious document. This means that an adversary may begin as a low privilege user (without admin permissions), but can then use this access to trigger further attacks to escalate privilege and gain more access into the target environment,” said Hammond, adding that educating users to identify and delete malicious emails remains the best line of defence, at least until a patch is available to deploy at endpoints.

“Throughout the next coming days, we expect exploitation attempts in the wild through email-based delivery.”

Beaumont added that detection of the exploit will remain difficult, as Word loads the malicious code from a remote template, meaning nothing in the document itself is actually malicious.

“Microsoft probably want to tighten up webpages embedded as remote templates in Office from loading so many URIs, and Outlook probably needs another hardening pass. All just my opinions, as always,” he said.

According to Shadow Chasing Group, an advanced persistent threat (APT) hunting group, the vulnerability was first reported to Microsoft on 12 April 2022, but Microsoft closed the ticket 10 days later saying it was not a security issue, as while “msdt is indeed executed… it requires a Passcode when it starts and the one provided in this sample does not work.”

Computer Weekly contacted Microsoft about why the vulnerability was not considered a security risk, as well as if and how it plans to fix the issue, but received no response by time of publication.