[German]A new attack vector has been known since the weekend that abuses the Microsoft Support Diagnostics Utility via the ms-msdt: protocol to download and abuse malicious Word documents (or Excel spreadsheets) from the web. Microsoft has since issued a support document for CVE-2022-30190. I have summarized the latest state of knowledge.
Short review of the history
A security researcher with the nick nao_sec noticed an upload from Belarus on Virustotal, which abuses the possible resolution of external links in Microsoft Word to download an HTML document. From there, the ms-msdt protocol is then abused to execute malicious functions via a PowerShell script. The whole thing became public in a tweet on May 27, 2022.
Security researcher Kevin Beaumont then named the vulnerability "Follina" in an article Follina — a Microsoft Office code execution vulnerability. Beaumont writes that the uploaded Word sample uses the Word remote template function to retrieve an HTML file from a remote web server, which in turn uses the MSProtocol URI scheme ms-msdt to load code and execute PowerShell.
This should not be possible, so it is a vulnerability in Microsoft Word. This is because this attack vector works even when macros are disabled in Word. Beaumont concludes that this is a zero-day vulnerability that allows code execution in Office products – whether macros are disabled or not.
The name Follina for the vulnerability is derived from a pattern 0438 in the file, which corresponds to the Follina area code in Italy. The msdt.exe (Microsoft Support Diagnostics Utility) tool invoked via the ms-msdt protocol allows Microsoft Support to investigate certain issues (see here).
In his article, Beaumont demonstrates several preliminary stages in which Follina was tried for attack tests. Then Beaumont tested the whole thing on various devices and found that it worked more often. He shows an example on Windows 10, where he is not logged in as a local administrator and tests with macros completely disabled, with Defender, with Office 365 Semi-Annual Channel. When opening an (infected) Word document, the Windows machine Calc is started – so the attack concept works.
Who is affected?
Kevin Beaumont writes that the vulnerability can be exploited with RTF files in all versions of Office 365. The vulnerability has been detected in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. It also applies to Windows itself, for example, it can be accessed from .lnk files. Beaumont gives more examples and references in his article linked above, that prove the exploit.
Security researcher Will Dormann suggests administrators disable the ms-msdt protocol in the above tweet. This can be done with the following instructions posted by Dormann:
Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\ms-msdt]
Who wants to delete the above key in the registry with the command, should import itself before in the registry editor the contents into a .reg file.
Note that corresponding log entries in the registry can also exist under HKCU and HKLM. The entry is available since Windows 8. This article describes a GPO to disable the tool (see also). But also here the hint that in the meantime advanced attacks via WGET and PowerShell are known (see this series of tweets from Will Dormann).
Notes from ICS/SANS and Microsoft
I received a statement from Dr. Johannes Ullrich vom Internet Storm Center, of the Internet Storm Center, which is part of the SANS Technology Institute:
Malicious Office documents are a popular means of injecting malware. In the past, this was usually done via macros. Microsoft has restricted Office macros to make them harder to abuse.
The new vulnerability circumvents these restrictions. The malicious code is executed as soon as the user opens the document, and no warning is displayed. The attack was discovered in samples submitted to Virustotal, a Google-run site that collects malicious code. Microsoft has patched the problem without public announcement in the very latest versions of Office, but most older versions are still vulnerable.
Another document exploiting the issue was uploaded to Virustotal by an anonymous user on May 27. The upload was made from a Belarusian IP address. A researcher ("nao_sec") discovered the document and noticed the new technique, alerting the public via Twitter. SANS' Internet Storm Center has investigated the vulnerability and is providing recommendations on how to defend against it until MSFT issues a patch.
The ICS SANS forum has this post summarizing their findings on the vulnerability (CVE-2022-30190). There are also the following tips from ICS SANS on how to fix the vulnerability until the patch is available:
- Check the parent-child relationship: a good idea is to track msdt.exe processes started by parent processes such as word.exe or excel.exe.
- Delete the "ms-msdt" schema from the registry [see above].
- Prevent Office from creating child processes by creating an ASL rule:Set-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled
- In addition, you should train your users not to open suspicious documents in the first place.
In the meantime, Microsoft has published a blog post Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability dated May 30, 2022, which also removes the ms-msdt protocol handler.
There are also posts on Twitter that indicate that Windows Defender now finds such files. Kevin Beaumont writes as of May 31, 2022 that Windows Defender now has a signature for this vulnerability. This is confirmed by Microsoft in the blog post Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability. Microsoft Defender detects the following malware as of build 1.367.719.0 or newer of the signature files:
Trojan:Win32/Mesdetty.A
Trojaner:Win32/Mesdetty.B
Verhalten:Win32/MesdettyLaunch.A
Verhalten:Win32/MesdettyLaunch.B
Verhalten:Win32/MesdettyLaunch.C
Microsoft Defender for Endpoint also provides detection and warning of such attacks. In the Microsoft 365 Defender portal, the following alerts can indicate threat activity on the network:
Suspicious behavior of an Office application
Suspicious behavior of Msdt.exe
More details can be found in Microsoft's blog post Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability. Now it seems that Chinese APTs are using this 0-day – see this tweet.
Windows 7 home edition cannot find this key. (dutch version, no ms-word/office installed)
The key is set from Windows 8 up.
Hi,
I tested the Follina payload in a home environment by using the Xampp web server and localhost location for the HTML script that uses ms-msdt to run calc. After opening the weaponized document I can see the Word notification that the document contains links that may refer to other files (…). If I accept updating then the msdt.exe is executed as a child process of Word. If not, then nothing happens – msdt.exe is not executed.
The problem is that in the examples of Follina attacks that I can see on the web there are no notifications about embedded links.
In my example, the attack can be prevented by not allowing to update links or by disabling Trust Bar notifications. Do you know why the notification about embedded links is skipped in the examples that can be found on the web?
Thank you.