Researchers have warned against the abuse of a new Office zero-day vulnerability. The flaw is exploited to run PowerShell commands using Microsoft Diagnostic Tool (MSDT) by just opening a Word document.

About the flaw 

The vulnerability was referred to as ‘Follina' by researchers until a tracking number was assigned. Now, the flaw is tracked as CVE-2022-30190.
  • The zero-day flaw exploitation opens the door for a new critical attack vector using the Microsoft Office program.
  • It works without elevated privileges, bypasses Windows Defender, and runs binaries or scripts without enabling macros.
  • The exploit has been tested against multiple Office versions such as Office Pro Plus, Office 2013, Office 2016, and Office 2021.

How was the flaw discovered?

At first, a researcher found a malicious Word document submitted to VirusTotal from an IP address in Belarus. 
  • This malicious Word file is developed to run arbitrary PowerShell code whenever opened.
  • The malware was further analyzed by several others and a blog post was published detailing the findings.
  • At present, only one-third of the vendors on VirusTotal have been able to flag the document as malicious.

What to do?

Researchers have proposed some potential mitigations until patches or workarounds become available. They suggested using defender ASR rules to block Office apps from creating child processes, a common malware strategy.
Cyware Publisher

Publisher

Cyware