Microsoft has released a workaround for a zero-day flaw that was 1st flagged-up in April & that attackers already have used to target organisations in Russia & Tibet, researchers observed.
Threat players already are exploiting the vulnerability, dubbed ‘Follina’ & originally identified back in April.
The remote control execution (RCE) issue, tracked as CVE-2022-3019, is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company’s products & reports to Microsoft Support.
New Accounts
If successfully exploited, attackers can install programs, view, change or delete data, or create new accounts in the context allowed by the user’s rights, the company stated.
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft explained in its guidance on the Microsoft Security Response Center. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”
Russian Users
Microsoft’s workaround comes some 6 weeks after the vulnerability was apparently first identified. Researchers from Shadow Chaser Group noticed it on April 12 in a bachelor’s thesis from Aug. 2020, with attackers apparently targeting Russian users & reported to Microsoft on April 21, according to research firm Recorded Future’s The Record.
A Malwarebytes Threat Intelligence Analyst also saw the flaw in April but could not fully identify it, the company commented in a post on Twitter over the weekend, retweeting the original post about the vulnerability, also made on April 12, from @h2jazi.
Nao Sec
When the flaw was reported, Microsoft did not consider it an issue. It’s clear now that the company was wrong, & the vulnerability again raised the attention of researchers at Japanese security vendor Nao Sec, who tweeted a fresh warning about it over the weekend, noting that it was being used to target users in Belarus.
In analysis over the weekend noted security researcher Kevin Beaumont dubbed the vulnerability “Follina,” explaining the zero-day code references the Italy-based area code of Follina – 0438.
Current Workaround
While no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This “prevents trouble-shooters being launched as links including links throughout the operating system,” the company wrote in their advisory.
To do this, users must follow these steps: Run “:Command Prompt as Administrator“; Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“; & execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f.”
“Trouble-shooters can still be accessed using the Get Help application & in system settings as other or additional trouble-shooters,” the company observed.
Protected View
If the calling application is an Office app then by default, Office opens the document from the internet in Protected View & Application Guard for Office, “both of which prevent the current attack,” Microsoft outlined. However, Beaumont refuted that assurance in his analysis of the bug.
Microsoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, states the advisory.
Significant Risk
In addition, the unpatched flaw poses a significant risk for a number of reasons, Beaumont & other researchers noted.
One is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions & can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, & Office ProPlus.
“Every organisation that is dealing with content, files & in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,” Aviv Grafi, CTO & founder of security firm Votiro, wrote.
Major Threat
Another reason the flaw poses a major threat is its execution without action from end users, both Beaumont & Grafi explained. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.
Because the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont revealed.
“What makes this vulnerability so difficult to avoid is the fact that the end-user does not have to enable macros for the code to execute, making it a ‘zero-click’ remote code execution technique used through MSDT,” Grafi concurred.
Active Attack
Claire Tills, Senior Research Engineer for security firm Tenable, compared the issue to last year’s zero-click MSHTML bug, tracked as CVE-2021-40444, which was hit by attackers, including the Ryuk ransomware gang.
“Given the similarities between CVE-2022-30190 & CVE-2021-40444, & that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments & exploitation attempts of this issue,” she wrote.
Women Empowerments Desk
Indeed, threat players already have pounced on the vulnerability. On Mon., Proofpoint Threat Insight also tweeted that threat players were using the flaw to target organisations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration.
Also, the workaround that Microsoft currently offers itself has issues & will not provide much of a fix in the long-term, especially with the bug under attack, Grafi concluded. He outlined the workaround is ”not friendly for admins” because it involves “changes in the Registry of the end user’s endpoints.”
