A large security risk has appeared in Microsoft Word, a zero-day security problem which can infect even fully updated Word. Microsoft has taken at least 14 months and still hasn’t fixed the security hole. We’ll explain the problem and what you can do.
It’s a relatively simple hack which takes advantage of gaps in Word, Windows and the Microsoft Support Diagnostic Tool (msdt). Microsoft has known about the bug for over a year, allowing time for criminals to exploit their security lapse since April, mostly in Russia, India and later China.
A Word (.doc or .docx) or RTF document uses the remote template feature to grab a HTML file from the Internet. That file has a link using the prefix ms-msdt: to run the Diagnostic Tool which is on all modern Windows machines. In turn that runs some PowerShell code which can give access to the computer.
There are many security problems that Microsoft needs to address.
- Word is running a program (Microsoft’s own Diagnostic Tools) while macros are DISabled.
- Word’s Protected View does block the bad link (as it should) but that’s NOT enough because …
- An RTF document with the hack can infect a computer from the Explorer Preview pane.
- Presumably also the Outlook Reading (preview) pane which uses the same system.
- Protected View should not be the last line of defense. Such a simple hack should not get that far into Word.
- Why is the Explorer/Outlook preview allowed to get a remote template and run it?
- How the ^%$ is Microsoft’s Diagnostic Tool allowed to run PowerShell code?
Naturally, Microsoft is trying to focus attention on the work of Protected View not mentioning the other risks to customers.
Follina or CVE-2022-30190
The hack has been nicknamed Follina, it’s official name is CVE-2022–30190
For all the details, check out Kevin Beaumont’s long and detailed post who notes:
“ The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.
It also applies to Windows itself, e.g. it can be called from .lnk files — effectively there are two different issues in my opinion, Office itself using MS Protocol and allowing loading unfiltered from HTML Word templates and Outlook links, and MSDT allowing code execution. “
How to protect yourself
Until Microsoft pulls their proverbial finger out, all customers can do is be careful.
- Be wary of previewing RTF files in either Explorer or Outlook.
- Instead open the documents in Word, making sure protected mode is enabled.
- As ever, be wary of incoming documents from any source but especially unusual or unexpected docs.
On 30 May 2022 Microsoft finally acknowledged the problem and released what they call a ‘mitigation’. Like many of their quick fixes, there’s a downside. The fix removes the association which allows ms-msdt: links to work, opening the Diagnostic Tool. It can only be a temporary fix because other systems rely on that type of link.
Microsoft’s current mitigation is to remove the association that allows their Diagnostic Tools program to be run from a link. That’s done by deleting this Registry Key
HKEY_CLASSES_ROOT\ms-msdt
Or disable the Troubleshooting wizards via a Registry Key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics EnableDiagnostics = 0
Or Group Policy
- Computer Configuration | Administrative Templates | System | Troubleshooting and Diagnostics | Scripted Diagnostics Set
- “Troubleshooting: Allow users to access and run Troubleshooting Wizards”
- change to “disabled”
Microsoft has now published a very carefully worded page of ‘mitigations’. It belatedly explains the link blocks that others had already published. The page doesn’t mention the vulnerability of viewing infected documents in the Explorer/Outlook preview pane. No mention of the greater risk from RTF files.
Microsoft’s failures to act over 18 months
Microsoft has handled this vulnerability very badly. In stark contrast to their big talk about security, their actions have been slow, incomplete and self-serving. As usual, Microsoft focus on immediate sales numbers is more important than customer security.
Kevin Beaumont’s timeline shows that Microsoft should have known about the possibility of intrusion via the ms-msdt: links since August 2020!
A bachelor’s thesis explained how it was possible in Word via several different ways. If that hint didn’t reach Microsoft Security the next one should have.
In March 2021, well over a year ago, Microsoft was notified that Microsoft Office URI’s can be used to execute code. The examples given were in Teams. Microsoft appears to have quietly fixed the problem but only in Teams and without notifying customers more widely.
A year later, a blog post again explains the vulnerability.
12 April 2022 – Microsoft security is notified of a hacked Word document being used ‘in the wild’ to infect computers. At this point the security lapse isn’t theoretical, it’s real.
21 April 2022 – nine days later, Microsoft security closes the ticket say it’s “ not a security related issue”. A decision that’s hard to understand and definitely not correct.
It’s possible that in early May 2022, Microsoft tried or accidently fixed the security bug in Office 365 Insiders releases. If they did, it wasn’t announced.
27 May 2022 – the exploit is again reported to Microsoft Security after more hacked documents appear in organizations.
29 May 2022 – it’s confirmed that Office 365 Semi-annual channel (the main release to enterprises) is vulnerable.
30 May 2022 – since Microsoft hasn’t acted, crowdsourcing begins on protecting from this vulnerability.
30 May 2022 evening – about 14 months after first notification, Microsoft Security finally admits the vulnerability. They publish CVE-2022–30190 and update Defender antivirus plus EDI to detect the malicious links.
31 May 2022 – Microsoft belatedly calls it a zero-day vulnerability with no patch, high severity and being actively exploited.
Office security fix bypassed in an incredibly simple way
Microsoft security apps arrive for Apple and Android for 365 customers