A zero-day vulnerability in Microsoft Office is under active exploitation in the wild, and while there isn’t a patch yet, the software giant has released workarounds to prevent attacks.
The vulnerability, CVE-2022-30190, first came to light on Friday courtesy of Nao_sec, an independent group of security researchers. Nao_sec reported on Twitter that it spotted a malicious document in VirusTotal, uploaded by a user in Belarus, that referenced the Microsoft Support Diagnostic Tool (MSDT).
“It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code,” Nao_sec said in a tweet.
Over the weekend, other security researchers examined the document and confirmed the existence of a Microsoft zero-day vulnerability that had been exploited in the wild earlier. Independent security researcher Kevin Beaumont published a blog post Sunday on the flaw, which he nicknamed “Follina,” and noted that additional samples of in-the-wild exploitation had been uploaded to VirusTotal in April.
Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec)
May 27, 2022
According to Beaumont, the vulnerability allows a Microsoft Word document to execute code through MSDT even if macros are disabled. The additional samples included Russian language documents that appeared to be related to job interviews.
Managed threat detection vendor Huntress Labs published a threat report Sunday calling the Microsoft zero day a “novel initial access technique” that can be executed in one click or less. “This is an enticing attack for adversaries as it is tucked inside of a Microsoft Word document without macros to trigger familiar warning signs to users — but with the ability to run remotely hosted code,” wrote John Hammond, senior security researcher at Huntress.
Microsoft confirms MSDT flaw
Microsoft’s Security Response Center (MSRC) on Sunday confirmed the existence of the MSDT vulnerability, though the software giant did not describe the remote code execution flaw as a zero day or confirm exploitation activity in the wild. However, Microsoft’s security advisory for CVE-2022-30190 noted that exploitation has been detected.
The MSRC post offered workarounds to prevent exploitation, including disabling the MSDT URL protocol. Microsoft also said Application Guard for Office will prevent attacks on CVE-2022-30190, as will opening a malicious document in “Protected View.”
Microsoft credited anonymous security researcher “Crazyman,” a member of threat hunting collective Shadow Chaser Group, with the discovery of the MSDT flaw.
In his blog post, Beaumont noted that Crazyman first reported threat activity for CVE-2022-30190 on April 12. According to tweets from Crazyman, Microsoft responded on April 21 and informed the researcher that it was “not a security related issue.”
It’s unclear why the vulnerability submission was initially rejected.
Microsoft did not respond to requests for comment at press time.
UPDATE: Microsoft did not directly address questions about exploitation in the wild and why the MSRC post does not identify the vulnerability as a zero day.
“To help protect customers, we’ve published CVE-2022-30190 and additional guidance here,” Microsoft said, citing the MSRC post and vulnerability advisory.
Microsoft did not address questions about Crazyman’s original vulnerability report and its rejection; a Microsoft spokesperson said the company had nothing further to share at this time.