{"id":46885,"date":"2022-05-30T18:01:10","date_gmt":"2022-05-30T18:01:10","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/zero-day-vuln-in-microsoft-office-follina-will-work-even-when-macros-are-disabled\/"},"modified":"2022-05-30T18:01:10","modified_gmt":"2022-05-30T18:01:10","slug":"zero-day-vuln-in-microsoft-office-follina-will-work-even-when-macros-are-disabled","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/zero-day-vuln-in-microsoft-office-follina-will-work-even-when-macros-are-disabled\/","title":{"rendered":"Zero-day vuln in Microsoft Office: ‘Follina’ will work even when macros are disabled"},"content":{"rendered":"

Infosec researchers have idenitied a zero-day code execution vulnerability in Microsoft’s ubiquitous Office software.<\/p>\n

Dubbed “Follina”, the vulnerability has been floating around for a while (cybersecurity researcher Kevin Beaumont traced it back to a report<\/a> made to Microsoft on April 12) and uses Office functionality to retrieve a HTML file which in turn makes use of the Microsoft Support Diagnostic Tool (MSDT) to run some code.<\/p>\n

\n

This is a nice find, looks like an EDR tooling gap from initial tests. (Possibly more, surprises Word didn\u2019t block this). https:\/\/t.co\/jzPzkOskGg<\/a><\/p>\n

\u2014 Kevin Beaumont (@GossiTheDog) May 29, 2022<\/a><\/p><\/blockquote>\n

Worse, it will work in Microsoft Word even when macros are disabled.<\/p>\n

The vulnerability was flagged up on Twitter at the end of last week by the @nao_sec account<\/a>, which noted the use of ms-msdt to execute PowerShell code.<\/p>\n

As for mitigation, there isn’t much. The Huntress post<\/a> on the matter suggested users utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules could put the “Block all Office Applications from creating child processes” option into “Block mode.”<\/p>\n