New Software Vulnerability Zeroes In on Microsoft Programs
new software vulnerability zeroes in on microsoft programs

New Software Vulnerability Zeroes In on Microsoft Programs

A “Zero Day” vulnerability in a Windows tool that hackers have been exploiting through poisoned Word documents was discovered over the weekend.

An independent cybersecurity research team known as nao_sec announced in a series of tweets that they’d found the vulnerability in a malicious Word document uploaded to Virus Total, a website for analyzing suspicious software, from an IP address in Belarus.

Another researcher, Kevin Beaumont, who dubbed the vulnerability “Folina,” explained that the pernicious document uses the remote template feature in Word to retrieve an HTML file from a remote web server. The file then uses Microsoft’s ms-msdt MSProtocol URI scheme to load more code on a targeted system, as well as execute some Powershell commands.

Making matters worse, the malicious document doesn’t have to be opened to execute its payload. It will run if the document is displayed in the preview tab of Windows Explorer.

Microsoft lists 41 different product versions affected by Folina, from Windows 7 to Windows 11, and from Server 2008 to Server 2022. Known and proven as affected are Office, Office 2016, Office 2021 and Office 2022, regardless of the version of Windows they are running on.

Log4Shell Comparison

“Folina appears to be trivially exploitable and very powerful, given its ability to bypass Windows Defender,” Casey Ellis, CTO and founder of Bugcrowd, which operates a crowdsourced bug bounty platform, told TechNewsWorld.

Folina’s virulence, however, was downplayed by Roger Grimes, data-driven defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla. “The worst type of Zero Day is one that launches against a user’s unprotected listening service or executes immediately when downloaded or clicked on,” he told TechNewsWorld.

“This isn’t that,” he continued. “Microsoft will have a patch created in a few days or less and if users haven’t disabled the default auto-patching in Microsoft Office — or if they use Office 365 — the patch will be automatically applied quickly. This exploit is something to be concerned about, but it’s not going to take over the world.”


Step into Digital Superience

Dirk Schrader, global vice president of New Net Technologies, now part of Netwrix, a provider of IT security and compliance software, in Naples, Fla. compared Folina to the Log4Shell vulnerability discovered in December 2021 and which continues to plague thousands of businesses today.

Log4Shell was about an uncontrolled way of executing a function in a function combined with the ability to call for external resources, he explained. “This Zero Day, initially named Folina, works in a similar way,” he told TechNewsWorld.

“Windows built-in security tools are likely not to catch this activity and standard hardening benchmarks don’t cover it,” he said. “Built-in defensive mechanism like Defender or common restrictions for the use of macros will not block this attack, as well.”

“The exploit seems to be out in the wild for about a month now, with various modifications as to what should be executed on the targeted system,” he added.

Microsoft Workaround

Microsoft officially recognized the vulnerability on Monday (CVE-2022-30190), as well as issuing workarounds to mitigate the flaw.

“A remote code execution vulnerability exists when [Microsoft Support Diagnostic Tool] is called using the URL protocol from a calling application such as Word,” it explained in a company blog.

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” it continued. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

As a workaround, Microsoft recommended disabling the URL protocol in the MSDT tool. That will prevent troubleshooters from being launched as links; however, troubleshooters can still be accessed using the Get Help application and in system settings.

The workaround shouldn’t be too much of an inconvenience to users, noted Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company, in Scottsdale, Ariz.

“The support tool still functions as normal,” he told TechNewsWorld. “The only difference is that URLs that use the protocol-specific link won’t automatically open in the support tool like they would by default.”


Step into Digital Superience

“Think of it as how clicking an http:// link automatically opens your default browser,” he continued. “The msdt:/ links are just pre-associated by default with the support tool. The mitigation removes that auto-open-with association.”

Longer Support Tix Times

Ray Steen, CSO with MainSpring, an IT managed services provider in Frederick, Md. agreed that the workaround would have a minimal impact on users. “MSDT is not a general troubleshooter or support tool,” he told TechNewsWorld. “It is only used to share logs with Microsoft technicians during support sessions.”

“Technicians can obtain the same information by other means, including the System Diagnostics Report tool,” he said.

In addition, he noted, “Disabling the URL protocol only prevents MSDT from being launched through a link. Users and remote technicians will still be able to open it manually.”

There may be one potential drawback for organizations shutting off the URL protocol, however, noted Carmit Yadin, CEO and founder of DeviceTotal, a risk management company in Tel Aviv, Israel. “Organizations will see an increase in support desk ticket times because the MSDT traditionally helps diagnose performance issues, not just security incidents,” he told TechNewsWorld.

Vulnerability Will Be Weaponized

Harish Akali, CTO of ColorTokens, a provider of autonomous zero trust cybersecurity solutions, in San Jose, Calif. maintained that Folina underlines the importance of zero trust architecture and solutions based on that principle.

“Such an approach would only allow legitimate and approved network communication and processes on a computer,” he told TechNewsWorld. “Zero trust software would also block lateral movement, a key tactic the hackers use to access valuable data once they access a compromised IT asset.”

Schrader noted that in the coming weeks, attackers will likely check for ways to weaponize the vulnerability. “This Zero Day in a spear-phishing campaign could be combined with recently discovered attack vectors and with privilege escalation techniques to elevate from the current user’s context,” he said.

“Keeping in mind the possibility of this combined tactic, IT pros should make sure that systems are closely monitored to detect breach activity,” he advised.

“On top of that,” he continued, “the similarities with Log4shell, which made headlines in December 2021, are striking. Same as it, this vulnerability is about using an application’s ability to remotely call for a resource using the URI scheme, and not having safeguards in place.”

“We can expect APT groups and cyber crooks to specifically look for more of these as they seem to offer an easy way in,” he added.

Go to the source link

Check Also

LAUNCHPAD Entertainment まとめ #LAUNCHPAD2021 @ivs @IVS_Official

LAUNCHPAD Entertainment まとめ #LAUNCHPAD2021 @ivs @IVS_Official

1990年代初頭から記者としてまた起業家として30年以上にわたりIT業界のハードウェアからソフトウェアの事業創出に関わる。シリコンバレーやEU等でのスタートアップを経験。日本ではネットエイジ等に所属、大手企業の新規事業創出に協力。ブログやSNS、LINEなどの誕生から普及成長までを最前線で見てきた生き字引として注目される。通信キャリアのニュースポータルの創業デスクとして数億PV事業に。世界最大IT系メディア(スペイン)の元日本編集長を経て現在に至る。 日本を代表するスタートアッププレゼンテーション(Pitch)イベントとして知られる「LaunchPad」の新潮流として本日(2021年6月25日)、「LAUNCHPAD Entertainment」が開催された。 このピッチイベントは投資家や経営者らによる審査(書類審査・プレゼンテーション・Q&A・メンタリング)を経て選ばれた14社が最終審査に挑む。 これまでにLaunchPad出場企業は22社が上場を果たしている。今回の「LAUNCHPAD Entertainment」ではどんなプレゼンがあったのか、その特徴は、そして優勝者は?登壇企業計14社による6分間のプレゼンテーションのサマリーとレビューをお伝えする。 「LAUNCHPAD Entertainment」審査員 審査員は、DMM.com会長 亀山敬司 氏、大和証券 専務取締役 金子好久 氏、East Ventures …

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.