A Zero-day Threat is Affecting All Microsoft Office Systems

A recent analysis by Cybersecurity researchers has brought to light a zero-day exploit in Microsoft Office that can be used for code execution in Windows environments. Nao_sec, an independent cybersecurity research team has uncovered this vulnerability by uploading a Word document (”05-2022-0438.doc”) to VirusTotal from an IP address in Belarus.

Named after the Italian commune, Follina, this vulnerability is considered a high-risk threat since it does not require Macros to be enabled. “All that’s required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack”, Nikolas Cemerikic of Immersive Labs said.

Security researcher Kevin Beaumont tweeted that the vulnerability uses “Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code”. “The maldoc leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload”, he added.

With this vulnerability, malicious users can have Microsoft Word execute code via Microsoft Support Diagnostics Tool (MSDT), a utility typically used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem. Furthermore, Protected View does not seem to provide any real protection. When the document type is changed to RTF, the code runs, even without opening the document.

Bad actors are already on the move. An advanced persistent threat (APT) conductor originating from China has executed code on affected systems using URLs to carry ZIP archives that include Word Documents,” enterprise security firm Proofpoint stated in a tweet.

Affected systems include Office, Office 2016, and Office 2021. Other versions are likely to be at risk as well. Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with has been shown to execute this code when the preview pane is enabled.

It is worth noting that the MSDT utility cannot execute payloads without a passkey, which is typically possessed by support technicians only. This may explain why Microsoft does not consider this vulnurability a security threat. Nevertheless, admins are advised to turn off the Preview Pane in File Explorer and disable the MSDT URL protocol to prevent the attack vector, at least for the time being.