New MS Office zero day evades Defender

Malware writers are exploiting a vulnerability in Microsoft Office that enables them to fetch malicious code without detection in a multi-stage attack, security researchers have found.

The exploit, which researcher Kevin Beaumont named Follina, abuses the remote template feature in Microsoft Word.

Japanese security vendor Nao Sec first reported the zero day, which it said was submitted from Belarus.

Nao Sec spotted that the zero day exploit embedded in a Word document first loads a hyper text markup language (HTML) file from a remote webserver.

It then uses the MSDT diagnotics tool handler, which is registered for the MS Office protocol, to execute Windows PowerShell code.

Beaumont said that the exploit works even with Office macros, traditionally used to run malware, disabled.

Microsoft's Defender for Endpoint does not currently detect Follina, and Beaumont was able to confirm that the exploit works on the older Office 2013 and 2016 variants.

Another researcher, Didier Stevens, managed to get the Follina MSDT exploit working on a fully patched version of Office 2021.

Beaumont said he was unable to get the exploit working with Current and Insider preview versions of Office.

He said this indicated that Microsoft had either fixed the vulnerability around May this year, or that he was "too much of an idiot" to exploit the vulnerability on the newest Office versions.

Users with an Office E5 licence can add a Defender for Endpoint query to alert about the exploit, which currently passes the anti-malware tool undetected.

Earlier this year, security vendor SySS documented how handlers for the MS Office protocol could be abused to open files directly, via specially crafted uniform resource location links.

A standard installation of MS Office installs 86 such handlers, Matthias Zöllner of SySS discovered, opening up possible abuse scenarios for attackers withouth attaching malicious documents to phishing emails for example.

Update March 31 Security researchers are working on methods to mitigate against the msdt vulnerability. 

One method suggested by Mimikatz developer Benjamin Delpy from the central Banque de France is to add the following Windows Group Policy Object (GPO):

HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics" /t REG_DWORD /v EnableDiagnostics /d 0

This prevents the MS Diagnostics Tool from executing.

Update June 1 Microsoft has acknowledged the issue and given it a Common Vulnerabilities and Exposures (CVE) index of 2022-30190.

The software giant has released Defender Antivirus signatures to detect what it calls is Trojan:Win32/Mesdetty, and said customers who run Microsoft Defender for Endpoint enable the BlockOfficeCreateProcessRule, which stops Office apps from creating malicious child processes.

As a workaround, Microsoft also suggests that users with Administrator privileges delete HKEY_CLASSES_ROOT\ms-msdt file type handler entry from the Windows Registry system configuration database.

Microsoft also said its Protected View and Application Guard for Office protect against the vulnerability.

However, security experts expressed doubts as to how effective Protected View and Application Guard for Office are to prevent exploitation with Follina.

This language is a bit misleading in not really describing what "calling application" means.
If you preview a file in Explorer, which uses Office to render the document, Protected View doesn't do a damn thing. pic.twitter.com/ptaqbTXDBl

— Will Dormann (@wdormann) May 31, 2022