The vulnerability was unearthed by the nao_sec research team, following the discovery of a Word Document uploaded to VirusTotal from a Belarusian IP address. The researchers posted a series of tweets detailing their discovery. The vulnerability leverages Microsoft Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.
It is noteworthy that the issue was first described by Microsoft in April as a non-security vulnerability, after a security researcher with Shadow Chaser Group reported observing a public exploit. Despite admitting that the issue was actively exploited in the wild, Microsoft didn’t describe it as a zero-day.
Follina Zero-Day Vulnerability: Details
The vulnerability was dubbed “Follina” by well-known cybersecurity researcher Kevin Beaumont. “The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” according to his analysis.
“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” Beaumont added.
Shortly said, the zero-day allows code execution in a range of Microsoft products, which can be exploited in various attack scenarios. Furthermore, the vulnerability “breaks the boundary of having macros disabled,” with vendor detection being very poor.
The researcher tested the zero-day on various machines, and it works in many of the cases. For example, the vulnerability works on Windows 10 without being local admin and with disabled macros, and with Defender in place. However, it doesn;t work on Insider and current versions of Microsoft Office, which means that the company may have done something to harden or fix the vulnerability without mentioning it publicly, Beaumont said, which may have happened in May 2022.
“Another entirely possible option is I’m too much of an idiot to exploit it on those versions, and I’ve just messed something up,” he added. It should be mentioned the flaw exists in Office 2013 and 2016. Many businesses may be exposed, as it is typical for businesses to use older channels of Office 365 and ProPlus.
“Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,” the researcher concluded.