#Follina It’s a zero day allowing code execution in Office products. Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things. This breaks the boundary of having macros disabled. Vendor detection is poor.
It uses Word's external link to load the #HTML and then uses the "ms-msdt" scheme to execute #PowerShell code.
How does it work?
Very loosely speaking, the exploit works like this:
- You open a booby-trapped DOC file, perhaps received via email.
- The document references a regular-looking
https:URL that gets downloaded. - This
https:URL references an HTML file that contains some weird-looking JavaScript code. - That JavaScript references an URL with the unusual identifier
ms-msdt:in place ofhttps:. - On Windows,
ms-msdt:is a proprietary URL type that launches the MSDT software toolkit. - MSDT is shorthand for Microsoft Support Diagnostic Tool.
- The command line supplied to MSDT via the URL causes it to run untrusted code
Temporary mitigation is remove the ms-msdt URI schema registry key (requires local administator rights). You can do this via Group Policy Preferences, also.
Guidance from microsoft https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
Github repo: This Repository Talks about the #Follina #MSDT from #Defender Perspective https://github.com/archanchoudhury/MSDT_CVE-2022-30190#List-of-IOCs
Original Article https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
#microsoft #office #msdt #follina #CVE-2022-30190
0 comments:
Post a Comment