Cybercriminals have found a new flaw in Microsoft Word documents (opens in new tab) that allows them to distribute malware (opens in new tab), researchers say.
Discovered by cyber security expert Kevin Beaumont and nicknamed "Follina", the hole exploits a Windows utility called msdt.exe, which is designed to run different troubleshooting packages on Windows.
According to the report, when the victim downloads the weaponized Word file, they don't even need to run it, just preview it in Windows Explorer for the tool to be abused (however, it must be an RTF file).
By abusing this utility, attackers can tell the target endpoint to call an HTML file from a remote URL. The attackers chose xmlcom formats, likely trying to hide behind the similar-looking but legitimate openxmlformats.org domain that is used in most Word documents, the researchers suggest.
recognize the threat
The HTML file contains a lot of "junk", which obscures its real purpose: a script that downloads and runs a payload.
The report says almost nothing about the actual payload, making it difficult to determine the endgame of the threat actor. He says the full chain of events related to the samples that were made public is not yet known.
Following the publication of the findings, Microsoft acknowledged the threat, saying that a remote code execution vulnerability exists "when MSDT is invoked using the URL protocol from a calling application such as Word."
“An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the calling application. The attacker can then install programs, display, modify or delete data, or create new accounts within the framework authorized by the user's rights.
While some antivirus programs (opens in a new tab), such as Sophos, can already detect this attack, Microsoft has also released a mitigation method, which includes disabling the MSDT URL protocol.
While this will prevent the troubleshooters from launching as links, they can still be accessed through the Get Help app and in system settings. To enable this workaround, administrators must do the following:
Run the command prompt as an administrator.
To backup the registry key, run the command "reg export HKEY_CLASSES_ROOTms-msdt filename"
Run the command "reg delete HKEY_CLASSES_ROOTms-msdt /f".