Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)
Several researchers have come across a novel attack that circumvents Microsoft’s Protected View and anti-malware detection.
The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the ms-msdt
protocol URI scheme to load some code, and then execute some PowerShell.
All of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn’t it?
Well, you’d be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems.
Jerome Segura, Malwarebytes’ Senior Director, Threat Intelligence:
This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office’s remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.
The most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office Follina, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.
Affected versions
Under normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.
While the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.
Researcher Kevin Beaumont provides the example where an attacker can send an email with this text as a hyperlink:
ms-excel:ofv|u|https://blah.com/poc.xls
And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.
As we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.
Mitigation
There are a few things you can do to stop some or all of the “features” used in this type of attack.
Unregister the ms-msdt protocol
Will Dormann, a vulnerability analyst at the CERT/CC has published a registry fix that will unregister the ms-msdt protocol.
Copy and paste the text into a notepad document:
- Click on File, then Save As…
- Save it to your Desktop, then name the file
disable_ms-msdt.reg
in the file name box. - Click Save, and close the notepad document.
- Double-click the file
disable_ms-msdt.reg
on your desktop.
Note, if you are prompted by User Account Control, select Yes or Allow so the fix can continue.
- A message will appear about adding information into the registry, click Yes when prompted
- A prompt should appear that the information was added successfully
Disable preview in Windows Explorer
If you have the preview pane enabled, you can:
- Open File Explorer.
- Click on View Tab.
- Click on Preview Pane to hide it.
Enable Malwarebytes’ Block penetration testing attacks
The Malwarebytes’ Block penetration testing attacks setting is an aggressive detection setting that will block this attack. It is not enabled by default because while enabling it provides additional blocking capabilities for Exploit Protection it can increase false positives, or result in other application conflicts.
To enable it:
- Open Settings
- Click Security
- Choose Advanced settings
- Tick Block penetration testing attacks
The post Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug) appeared first on Malwarebytes Labs.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.