Zero-day Windows security bug spreads to Europe and USA

The serious Windows and Office security bug is now used to target organizations in Europe and USA.  Despite plenty of warnings, Microsoft still doesn’t have a fix, just ‘mitigations’.

Last week Office-Watch.com told you about “Follina, or CVE-2022–30190” a relatively simple hack that exploits a security bug in Microsoft’s own Microsoft Support Diagnostic Tool (msdt).  It’s a bug Microsoft has been warned about for over a year, but took no action until it was openly and widely exploited.

Since the news broke widely in late May and Microsoft didn’t act, it was inevitable that other hackers would take advantage of the security bug and Redmond’s inaction.

This security lapse affects ALL versions of Windows and Windows Server.  There’s no patch available, only some ‘mitigations’ or temporary fixes that we explained earlier.

Now government agencies and others in Europe and USA are being targeted with emails containing an RTF document attachment. Here’s just one example using the promise of a salary increase to trick people into opening the attachment.

Source: Threat Insight

Using an RTF (Rich Text Format) attachment is clever because it takes advantage of a key weakness in Windows and this hack.

Preview pane could infect your computer

Infected RTF files will run the exploit from the preview pane in Explorer or Reading/Preview Pane in Outlook.

There’s no need to open the RTF in Word, WordPad or other app – the preview pane is enough to cause trouble.

Usually the preview pane is considered a safe way to view a file – and it should be.

It’s also clever because RTF files are wrongly thought as a safe file format that can be opened without worry. Wrong! Even though RTF’s can’t carry macro code, RTF file can carry malicious content. See Are RTF files risky?

The new exploit of “Follina”

According to ProofPoint a “state aligned actor” is responsible for the latest attacks. 

“State aligned actor” is a euphemism for a hacking group either operated or supported by a government.  In this case it’s mainland China via the TA413 hacking group.  Russia and North Korea are two other states supporting “actors”.

What to do?

Until Microsoft gets around to releasing a bug fix there’s a few things you can do .. a risk of repeating ourselves …:

  • Beware all incoming documents, regardless of format. 
  • ALWAYS check the extension of an attachment if it’s an old format like .doc or .xls– be very wary.
  • At the moment, be especially wary of unexpected RTF files.
  • Disable the msdt: link to the Diagnostic software.  That might have consequences if you’re trying to get remote help but most people won’t notice any change.

Many mail systems should now have checks for the common exploits of “Follina” so there’s a lower risk of a malicious email reaching Inboxes.  But the hackers are cunning and will find ways to bypass those checks and reach you.

Otherwise, all we can do is wait until Microsoft graces their paying customers with a proper security patch.  They’ve had over a year, so clearly Redmond isn’t in any hurry.

Zero-day security hole in Word, Microsoft very slow to act
Are RTF files risky?
Office docs to avoid at all costs, the old formats