UPDATE: Follina Vulnerability in Microsoft Office Products

Release Date: 30-05-2022 10:59:00

UPDATE: Follina Vulnerability in Microsoft Office Products

History:

30/05/2022 --- v1.0 -- Initial publication
31/05/2022 --- v1.1 -- Updated with new information available
02/06/2022 --- v1.2 -- Updated with new information available about search-ms
15/06/2022 --- v1.3 -- Updated with new information about Microsoft patch

Summary

On the 29th of May 2022, the Nao_Sec team [1], an independent Cyber Security Research Team, discovered a malicious Office document shared on Virustotal [2]. This document is using an unusual, but known scheme [3] to infect its victims. The scheme was not detected as malicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to code execution without the need of user interaction, as it does not involve macros, except if the Protected View mode is enabled and the Preview mode is disabled in Windows Explorer [4].

On the 30th of May 2022, Microsoft started to track this vulnerability identified CVE-2022-30190 (aka Follina) with a severity score of 7.8 out of 10.

On the 14th of June 2022, Microsoft has released security updates as part of June Patch Tuesday. One of the fixes applies to this actively exploited vulnerability. This update does not prevent Microsoft Office tools from loading Windows protocol URI handlers without user interaction, but will instead block PowerShell injection and disable this attack vector [16].

Technical Details

The vulnerability is being exploited by using the MSProtocol URI scheme to load some code. Attackers could embed malicious links inside Microsoft Office documents, templates or emails beginning with ms-msdt: that will be loaded and executed afterward without user interaction - except if the Protected View mode is enabled and/or the Preview mode is disabled in Windows Explorer [5]. Nevertheless, converting the document to the RTF format could also bypass the Protected View feature.

Security researchers have shown that it is possible to exploit this vulnerability with another MSProtocol URI scheme: search-ms:. Using this scheme, attackers would be able to automatically mount remote shares on a computer in order to trick the user into executing malware [14].

Affected Products

The flow is affecting all Windows version still receiving Security Updates [11].

Recommendations

CERT-EU strongly recommends installing the last updates provided with June 2022 cumulative Windows Updates.

Enabling Protected View and disabling Preview Mode is still recommended.

Monitoring

CERT-EU highly recommends monitoring for suspicious behaviours of Microsoft Office products: the process msdt.exe should not be spawned by Office products like words.exe, outlook.exe and also excel.exe.

Some researchers have released monitoring rules for various products:

Sigma [6]
Sentinel [7]
Defender [8]

Workarounds

Note: The workarounds described below are to be implemented if updating is not an option.

As a temporary workaround, Didier Stevens proposed to remove the ms-msdt handler in the registry hives. While this could prevent legitimate applications to work, it seems that there are not many applications using it [9]. Microsoft also provided this word around [13].

The same way as for the MSDT mitigation, it is possible to delete the search-ms protocol handler from the Windows Registry [15].

It is also possible to use the Attack Surface Reduction features to prevent Office applications from spawning child processes [10]. However, some legitimate line-of-business applications might also generate child processes for benign purposes and will be blocked if enabled.