Researchers have discovered a zero-day vulnerability in Microsoft Office that might be exploited to execute arbitrary code on vulnerable Windows PCs.
The flaw was discovered after nao sec, an independent cybersecurity research group, discovered a Word document (“05-2022-0438.doc“) that was submitted to VirusTotal from a Belarusian IP address.
“It loads the HTML via Word’s external link and then executes PowerShell code using the’ms-msdt’ scheme,” the researchers said in a series of tweets last week.
The bug, nicknamed “Follina” by security researcher Kevin Beaumont, uses Word‘s remote template functionality to request an HTML file from a server, which is then used to launch the malicious payload using the “ms-msdt:/” URI scheme.
MSDT stands for Microsoft Support Diagnostics Tool, a tool that is used to troubleshoot and collect diagnostic data so that support specialists may analyze it and address an issue.
“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,” Beaumont explained.
“Protected View does kick in,” the researcher said, “however changing the document to RTF form causes it to execute without even accessing the document (through the preview tab in Explorer), let alone Protected View.”
Multiple Microsoft Office versions are claimed to be compromised, including Office, Office 2016, and Office 2021, with more versions anticipated to be susceptible as well.
In addition, NCC Group‘s Richard Warren demonstrated an attack on Office Professional Pro with April 2022 running on a current Windows 11 computer with the preview pane enabled.
“Microsoft will have to fix it across all of their product offerings,” Beaumont added, “and security suppliers will require comprehensive detection and blocking.” Microsoft has been contacted for comment.