Microsoft has just released its June 2022 Cumulative Update for Windows, which includes a fix for the dreaded Follina vulnerability.

“Microsoft strongly recommends that customers install updates to be fully protected against the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any additional action," Microsoft said in its opinion.

Discovered by cybersecurity expert Kevin Beaumont and dubbed "Follina," the flaw exploits a Windows utility called msdt.exe, which is designed to run various troubleshooting packages on Windows. The researcher discovered that when the victim downloads an armed Word file, he doesn't even need to run it, previewing it in Windows Explorer is enough to abuse the tool (however, it must be an RTF file).

Fuck abused in nature

By abusing this utility, attackers can tell the target endpoint (opens in a new tab) to call an HTML file, from a remote URL. The attackers chose xml[.]com formats, likely trying to hide behind the similar-looking but legitimate openxmlformats.org domain used in most Word documents.

The HTML file contains a lot of "garbage", which obscures its real purpose: a script that downloads and executes a payload.

Microsoft's patch doesn't prevent Office from automatically loading Windows Protocol URI handlers without user interaction, but it does block PowerShell injection, rendering the attack useless.

As soon as it was discovered, researchers began tracking the abused flaw in the wild. Its early users reportedly included Chinese state-sponsored threat actors staging cyberattacks (opens in a new tab) against the international Tibetan community.

“TA413 CN APT detected ITW exploiting Follina 0Day using URLs to deliver Zip files containing Word documents using the technique,” ​​cybersecurity researchers at Proofpoint said two weeks ago. The same company also found that another threat actor, TA570, abused Follina to distribute Qbot, while NCC Group found that Black Basta, which is a well-known ransomware group, further abused it.

Via: BleepingComputer (Opens in a new tab)

Share This