A zero-day remote code execution vulnerability has been identified in the Microsoft Windows Support Diagnostic Tool (MSDT) which is being actively exploited in the wild.
The vulnerability affects all versions of Microsoft Office from 2003 and has been dubbed Follina. The vulnerability can be exploited by sending a specially crafted Word document, which will exploit the flaw if the document is opened. The vulnerability works without elevated privileges, and in contrast to most email attacks involving attached documents, does not require macros to be enabled. It is also possible for the vulnerability to be exploited without opening the document via the preview tab in Explorer if a RTF file is used, according to security researcher Kevin Beaumont.
The vulnerability is being exploited to get the MSDT URL Protocol to download an HTML file from a remote server, which loads code that enables PowerShell commands to be run on vulnerable systems. Security researcher Kevin Beaumont found a malicious document that exploited the flaw, and several security researchers have developed proof-of-concept exploits for the vulnerability. The malicious documents are not being detected by Microsoft Defender, and email security solutions may not identify the documents that exploit the flaw as malicious, since the documents themselves do not contain any malicious code.
Microsoft has acknowledged the vulnerability and has assigned it the CVE code CVE-2022-30190. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” explained Microsoft in a security advisory. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.” Microsoft has assigned a CVSS score of 7.8 for the vulnerability.
Microsoft has suggested a workaround that involves disabling the MSDT URL Protocol. “Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.” Microsoft has credited crazyman of the Shadow Chaser Group for identifying the flaw and reporting it in April.