
Introduction
So it all started on 27/5/2022 when a cyber security researcher known as @nao_sec found a malicious Microsoft word file that runs arbitrary PowerShell code
The official tweet👇
It was called Follina by Kevin Beaumont because the spotted sample on the file references 0438, which is the area code of Follina in Italy, later Microsoft assigned CVE-2022-30190 to it
It turns out that Microsoft knew about this vulnerability since April when @CrazymanArmy the leader of the Shadow Chaser Group reported it to Microsoft and this was how Microsoft replied 👇
(Shadow Chaser Group is a sub-group of the GcowSec team which consists of college students who are focused on APT hunt and analysis)
Non-Technical Explanation
It’s a zero-day remote code execution or an RCE vulnerability in Microsoft Word, you get hacked the moment you view the file.
As of the time of writing this blog, there is no official mitigation
Technical Explanation
The vulnerability is exploited by using the MSProtocol URI system to load a specific code. Attackers can embed malicious links into Microsoft Office documents, templates or emails starting with ms-msdt: they will be uploaded and executed afterward without any user interaction.
Unless the protected view mode is on. However, converting the document to RTF format may also bypass the Protected View feature.
For an in detail analysis i really recommend this blog by John Hammond
PoC (For Educational Purposes)
https://github.com/JohnHammond/msdt-follina
Mitigation (Non-Official)
As of the time of writing this blog, there is no official mitigation
But there are a few temporary things you can do till Microsoft publishes an official patch
- Unregister ms-msdt
- Disable preview in Windows Explorer
- Use Microsoft Defender’s Attack Surface Reduction (ASR) rules
- Utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules (According to huntress)
References
- “Follina — a Microsoft Office code execution vulnerability” written by Kevin Beaumont
- “Mysterious “Follina” zero-day hole in Office – here’s what to do!” written by Sophos
- “Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)” by Malwarebytes