![]() ![]() Microsoft responds with Follina mitigation advice In fact, according to Beaumont, it also works directly in Windows via LNK files as well as in Outlook. The issue is actually bigger because the vulnerability is located in MSDT, which can be called from different applications, including Office, but not only via the MSDT URL protocol scheme ms-msdt. ![]() However, more researchers later tested the exploit confirming it on fully up-to-date versions of Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. "Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View."īeaumont did some initial testing and the exploit seemed to fail on the Insider and Current version of Office but worked on others. "There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled," Beaumont said in a blog post. However, security researcher Kevin Beaumont, who dubbed the flaw Follina before it had a CVE identifier, analyzed the exploit and concluded that it leveraged the Word remote template feature to retrieve a HTML file from a remote server and then used the ms-msdt URL scheme to load malicious code and a PowerShell script. A Word exploit, but not a Word flawīecause the original exploit came in the form of a Word document, there were initial rumors that the vulnerability was located in Word or the larger Office suite. However, more malicious samples dating from April have also been found, suggesting the vulnerability has been exploited for over a month. Microsoft has responded with mitigation advice that can be used to block the attacks until a permanent patch is released.Īn exploit for the vulnerability, now tracked as CVE-2022-30190, was found in the wild by an independent security research team dubbed nao_sec, which spotted a malicious Word document uploaded to VirusTotal from an IP in Belarus. Attackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in a Windows component called the Microsoft Support Diagnostic Tool (MSDT) through weaponized Word documents. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |