Attackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in a Windows component called the Microsoft Support Diagnostic Tool (MSDT) through weaponised Word documents.
Microsoft has responded with mitigation advice that can be used to block the attacks until a permanent patch is released.
An exploit for the vulnerability, now tracked as CVE-2022-30190, was found in the wild by an independent security research team dubbed nao_sec, which spotted a malicious Word document uploaded to VirusTotal from an IP in Belarus. However, more malicious samples dating from April have also been found, suggesting the vulnerability has been exploited for over a month.
A Word exploit, but not a Word flaw
Because the original exploit came in the form of a Word document, there were initial rumours that the vulnerability was located in Word or the larger Office suite.
However, security researcher Kevin Beaumont, who dubbed the flaw Follina before it had a CVE identifier, analysed the exploit and concluded that it leveraged the Word remote template feature to retrieve a HTML file from a remote server and then used the ms-msdt URL scheme to load malicious code and a PowerShell script.
"There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled," Beaumont said in a blog post. "Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View."
Beaumont did some initial testing and the exploit seemed to fail on the Insider and Current version of Office but worked on others. However, more researchers later tested the exploit confirming it on fully up-to-date versions of Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.
The issue is actually bigger because the vulnerability is located in MSDT, which can be called from different applications, including Office, but not only via the MSDT URL protocol scheme ms-msdt. In fact, according to Beaumont, it also works directly in Windows via LNK files as well as in Outlook.
Microsoft responds with Follina mitigation advice
In a blog post, Microsoft's Security Response Center pointed out that if the exploit is delivered via a Microsoft Office application, by default the Protected View mode or Application Guard for Office would trigger for documents opened from the internet and should block the attack.
Beaumont said that this is "stretching the truth" since the exploit also triggers via the preview tab in Windows Explorer where Protected View doesn't apply. Will Dormann, a vulnerability analyst at CERT/CC shared the same view calling the language in Microsoft's FAQ "a bit misleading."
As a more general workaround, Microsoft proposes disabling the entire MSDT URL protocol on the system by following these steps:
- Run Command Prompt as Administrator.
- Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“.
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
This prevents other applications from automatically calling the MSDT troubleshooter, However, it can still be used through the Get Help application and in the system settings panel.
Detections for the export have been added to Microsoft Defender Antivirus and Microsoft Defender for Endpoint, where the “BlockOfficeCreateProcessRule” blocks Office apps from creating child processes in general, as this is a common malware behaviour.
Other security companies and researchers have released detection rules for threat hunting and intrusion detection tools and more endpoint protection vendors are likely to add their own detection signatures.
Earlier Follina attacks
Beaumont was able to find additional files that exploited the vulnerability and were circulated in April, some with Russian themes. Researchers from Proofpoint reported that a Chinese APT tracked as TA413 has also attempted to exploit the vulnerability using ZIPs with malicious documents that impersonate the Women's Empowerment Desk, an agency of the Central Tibetan Administration.
The method of using MSDT protocol URL to execute code was apparently documented in a bachelors' thesis by Benjamin Altpeter, a student of CompSci at TU Braunschweig in Germany, as early as August 2020. A member of an APT hunting group called Shadow Chaser Group claims they reported the vulnerability to Microsoft in April but that it was not classified as a security issue and the ticket was closed.