In a nutshell: Follina doesn’t require elevated privileges or Office macros to be enabled, and it doesn’t get detected by Windows Defender. It works on most fully-updated Office versions and operating systems, with researchers pointing out that it can be exploited even if a user selects a malicious file in Windows Explorer.
Researchers have just revealed a new zero-day vulnerability in Microsoft Office, which the infosec community has dubbed Follina. It allows attackers to execute Powershell commands via Microsoft Diagnostic Tool (MSDT) once a malicious Word document is opened.
What makes this vulnerability especially dangerous is that it completely bypasses Windows Defender detection, works without elevated privileges and doesn’t require Office macros to be enabled. So far, it’s been confirmed to be present in Office 2013, 2016, 2019, 2021, and a few versions included with a Microsoft 365 license on both Windows 10 and 11.
A lot of folks have pointed out that Protected Mode is required when opening the Word doc. Just a reminder that formatting as a Rich Text File allows exploitation when Explorer’s preview pane option is enabled (no Enable Editing button either 😉 #Follina #MSDT https://t.co/ZUj5WXeWjN
— Kyle Hanslovan (@KyleHanslovan) May 30, 2022
As Kevin Beaumont explains, a malicious document uses the Word remote template feature to retrieve an HTML file from a remote web server. This, in turn, uses the ms-msdt MSProtocol Uniform Resource Identifier (URI) scheme to execute code in Powershell.
Protected View, a feature that alerts users of files from potentially unsafe locations, does activate and flag the document as potentially malicious. However, by converting the document to a Rich Text Format (RTF) file, the vulnerability can be exploited simply by selecting the file (without opening it) if Windows Explorer’s preview pane option is enabled.
It says pic.twitter.com/Z2AN7nq6hr
— crazyman_army (@CrazymanArmy) May 30, 2022
Interestingly, Microsoft was informed of this vulnerability in April, yet it decided to dismiss it as the company couldn’t replicate it.
Huntress Labs, a cybersecurity company, says it expects attackers to exploit Follina through email-based delivery and warns people to be vigilant about opening any attachments until the vulnerability gets patched.
