Based on the Microsoft Support Diagnostic Tool (MSDT), Microsoft issues vulnerability CVE-2022-30190.
Microsoft Office vulnerability dubbed "Follina" is recently disclosed in attacks targeting government entities in Europe and the US.
The Follina vulnerability is characterized mainly by the easy exploitability that a cybercriminal can have since they will be able to use Office documents without the need to place malicious code in the macros of a document to execute malware on a victim’s computer.
Researchers from the Nao Sec team reported a new zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that can be exploited with Microsoft Office documents at the end of May this year identified as CVE- 2022-30190.
An attacker who successfully exploits this vulnerability can execute arbitrary code using the privileges of the application making the call. The attacker can then install programs, view, change or delete data, or create new accounts in the scope allowed by the rights acquired for the user.
The document uses Word’s remote template function to retrieve an HTML file from a remote web server, which in turn uses the MSProtocol ms-msdt URI scheme to load code and run PowerShell.
Protected View is enabled, although if you change the document to RTF format, it runs without even opening the document (via the preview tab in Explorer), let alone Protected View.
The issue affects several versions of Microsoft Office, including Office, Office 2016 and Office 2021.
RECOMMENDATIONS
- Avoid opening files received from unknown email addresses.
- Maintain anti-malware, anti-spam software and in general all security software with the latest updates available from each manufacturer.
- For alternative solutions go to the following link: https://msrc- blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool- vulnerability/
SOURCES
- https://www.welivesecurity.com/la-es/2022/06/08/follina-vulnerabilidad-critica-explotada-mediante-documentos- office/
- https://securityaffairs.co/wordpress/131992/apt/nation-state-actors-follina-exploits.html https://securelist.com/cve-2022-30190-follina-vulnerability-in-msdt-description-and-
- counteraction/106703/?utm_source=twitter&utm_medium=social&utm_campaign=uk_securelist_db0077&utm_cont ent=sm-post&utm_term=uk_twitter_organic_77qxqyz4fnxhzda https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detec tion
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190