Cybercriminals have found a new hole in Microsoft Word (opens in new tab) documents that allow them to distribute malware (opens in new tab), researchers are saying.
Discovered by cybersecurity expert Kevin Beaumont, and dubbed “Follina”, the hole leverages a Windows utility called msdt.exe, designed to run different troubleshooter packs on Windows.
According to the report, when the victim downloads the weaponized Word file, they don’t even need to run it, previewing it in Windows Explorer is enough for the tool to be abused (it has to be an RTF file, though).
By abusing this utility, the attackers are able to tell the target endpoint to call an HTML file, from a remote URL. The attackers have chosen the xmlformats[.]com domain, probably trying to hide behind the similar-looking, albeit legitimate, openxmlformats.org domain used in most Word documents, the researchers are suggesting.
Acknowledging the threat
The HTML file holds plenty of “junk”, which obfuscates its true purpose – a script that downloads and executes a payload.
The report says almost nothing about the actual payload, so it’s hard to determine the threat actor’s endgame. It does say that the complete chain of events related to the publicized samples is not yet known.
Following the publication of the findings, Microsoft has acknowledged the threat, saying a remote code execution vulnerability exists “when MSDT is called using the URL protocol from a calling application such as Word.”
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
While some antivirus (opens in new tab) software, such as Sophos, are already capable of spotting this attack, Micorosft has also released a mitigation method, which includes disabling the MSDT URL protocol.
While this will prevent troubleshooters from being launched as links, they can still be accessed using the Get Help application, and in system settings. To activate this workaround, admins need to do the following:
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTms-msdt filename“
Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba