MS Office Zero-Day (Follina)
"Follina," a Microsoft Office zero-day vulnerability with a CVSS rating of 7.8 was recently announced and assigned CVE-2022-30190.
A newly announced zero-day vulnerability dubbed “Follina” (CVE-2022-30190) has been shown to allow for remote code execution by exploiting a vulnerability in Microsoft Office, including those with the May 2022 updates installed. The vulnerability lies in the handling of Microsoft Support Diagnostic Tool (MDST) URLs and can be used to run PowerShell scripts on a target system with the permissions of the running application.
This issue is particularly concerning as it allows for code execution even if Office macros are disabled. According to Kevin Beaumont, a security researcher who has provided a detailed writeup on the issue, while Protected View would normally prevent such execution, converting the file to a rich text file (RTF) bypasses this protection.
Microsoft has provided guidance on a temporary workaround which involves disabling the MDST URL protocol via a registry key. More information is available on Microsoft’s website.
Allendevaux & Company recommend all organisations utilizing Microsoft Office consider disabling the vulnerable protocol and track for application updates which resolve the issue.
This article was written by Clayton Horstman
Offensive Security Certified Professional (OSCP), CREST CRT, CompTIA Security+
Senior Cybersecurity Analyst