What to know about a malicious new Microsoft Office vulnerability

This "zero-day" attack relies on sneaking in malicious code embedded in innocuous-looking Word documents.

By Harry Guinness | Published Jun 3, 2022 10:00 AM EDT

Technology

Microsoft word app icon — Researchers recently discovered a security problem with Microsoft Word. DEPOSIT PHOTOS

A “zero-day” vulnerability in Microsoft Office (and Microsoft Windows) is being used by Chinese state-aligned hackers to target Tibetans. A zero-day attack is the cybersecurity term for any unpatched or previously unknown exploit. They are particularly useful to hackers as anti-virus software and other software defenses don’t work against them. Right now, if you open an infected Word document in any modern version of Office, the embedded code will run.

TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app pic.twitter.com/4FA9Vzoqu4
— Threat Insight (@threatinsight) May 31, 2022

According to Proofpoint, a threat analysis firm, a Chinese hacking group, known as TA413, is targeting Tibetan nationals with the recently reported “Follina” exploit. The attack is embedded in a malicious Word document purporting to be sent by the “Women Empowerments Desk” of the Central Tibetan Administration, the Tibetan Government-in-Exile in Dharamshala, India. This is not the first time that Chinese hackers have targeted Tibetan groups: a 2019 report by Citizen Lab identified a number of instances going back over a decade.

As well as Tibetans, Follina-infected Word documents have been found in the wild since April this year targeting people in Russia and India.

According to security researcher Kevin Beaumont (who named the exploit “Follina” and even designed an appropriately crap logo), the exploit works using Word’s remote template feature to fetch a HTML file from a remote web server that then hijacks the Microsoft Support Diagnostic Tool (MSDT) to download and execute some code in PowerShell.

Windows 11 (May) + Office Pro Plus (April)
+ Preview pane enabled https://t.co/ZIOADQqluo pic.twitter.com/oo0YETlrl4
— @buffaloverflow@infosec.exchange (@buffaloverflow) May 29, 2022

Because the exploit uses MSDT, a support tool, it works even if macros are disabled (which is a commonly exploited Office feature that allows the app to run external code). Similarly, the Protected View security feature can be avoided by using an RTF (Rich Text Format) document (which is another document format that Word can open by default). You can see it in action in the video above. The non-malicious proof of concept is set up to open the Calculator app as soon as the document has loaded.

As Beaumont writes, “That should not be possible.” He identifies two separate issues with the exploit: How Office is handling the loading of HTML Word templates and Outlook links, and that MSDT allows this kind of code execution.

Right now, the vulnerability is present in pretty much every modern version of Office. Researchers have demonstrated it in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365, as well as in Windows itself as it can be called using .lnk files, which are files used by the operating system to open another file, folder, or application.

Microsoft has acknowledged the issue (calling it the less catchy “CVE-2022-30190”) and issued a workaround that involves having the user disable the MSDT URL Protocol, which the exploit uses to load the PowerShell code. Presumably, its security engineers are working hard to develop a proper patch.

Unfortunately, the Microsoft Security Response Center (MSRC) seems to have been a little slow to respond to Follina. The principles underlying the attack were first published in a 2020 Bachelor Thesis and in 2021 they patched a similar vulnerability in Microsoft Teams. A report filed with the MSRC in mid-April was dismissed, with the vulnerability ruled “not a security related issue.”

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022

It wasn’t until after Nao Sec, a security vendor, tweeted an example of the exploit found in the wild in Belarus on May 27 and it was analyzed and named by Beaumont on May 29 that Microsoft publicly identified it as a zero-day exploit.

Until Follina is fully patched, we’d recommend being careful opening Word documents from unknown sources. You can also follow Microsoft’s mitigation advice if you are concerned about being targeted (or are an administrator who wants to make sure their charges don’t run any malicious code by mistake).

This is just another example of how theoretical exploits can go from research labs to the real world. While it’s incredibly important to keep security patches up-to-date, it can’t protect you from all possible attack vectors. In the realms of international cybersecurity and state-sponsored hackers, constant vigilance is the only option.

It can pay off, though. Just this week, the FBI Director Christopher Wray announced that his agency had successfully thwarted an Iranian government-sponsored hack on Boston Children’s Hospital. According to the AP, the FBI learned of the attack from an unspecified intelligence partner and was able to provide the hospital with the information—and presumably security patches or some other kind of software mitigation—that helped it gear up against the threat.

Harry Guinness

Harry Guinness is an Irish freelance writer and photographer. He splits his year between Ireland and the French Alps. Harry’s work has been published in The New York Times, Popular Science, OneZero, Human Parts, Lifehacker, and dozens of other places. He writes about technology, culture, science, productivity, and the ways they collide.

Security