Microsoft has released workarounds for an Office vulnerability that is being actively exploited.
Microsoft has released workarounds for an Office vulnerability that is being actively exploited. Microsoft issued warning on Monday for a newly found zero-day security hole in its Office productivity suite, which may be used to gain code execution on vulnerable PCs.
The vulnerability, now known as CVE-2022-30190, has a severity rating of 7.8 out of 10 on the CVSS vulnerability assessment system. Office 2013, Office 2016, Office 2019, and Office 2021, as well as Professional Plus editions, are affected.
“To assist protect customers, we’ve released CVE-2022-30190 and further advise here,” a Microsoft spokesman said in an emailed statement to The Hacker News.
The Follina flaw, discovered late last week, included a real-world attack that took use of a flaw in a weaponized Word document to execute arbitrary PowerShell code via the “ms-msdt:” URI scheme. From Belarus, the sample was uploaded to VirusTotal.
However, the earliest indications of the flaw’s exploitation date back to April 12, 2022, when a second sample was added to the malware database. This artifact is thought to have targeted a Russian user with a malicious Word document (“pилаение на интерв.doc”) posing as an interview invitation from Sputnik Radio.
“When MSDT is contacted via the URL protocol from a calling program like as Word, a remote code execution vulnerability occurs,” Microsoft stated in an advisory for CVE-2022-30190.
“An attacker who successfully exploits this vulnerability can execute arbitrary code with the caller application’s privileges. In the context permitted by the user’s permissions, the attacker can then install applications, read, alter, or remove data, or establish new accounts.”
Crazyman, a member of the Shadow Chaser Group, was credited with disclosing the bug on April 12, coinciding with the discovery of the in-the-wild attack targeting Russian users, showing that the corporation was already aware of the vulnerability.
Indeed, according to screenshots shared on Twitter by the researcher, Microsoft closed the report on April 21, 2022, stating that “the issue has been fixed,” while also dismissing the flaw as “not a security issue” because it requires a passkey provided by a support technician when starting the diagnostic tool.
In addition to publishing detection rules for Microsoft Defender for Endpoint, the Redmond-based business has included solutions in its documentation for disabling the MSDT URL protocol via a Windows Registry update.
“If the calling program is a Microsoft Office application,” Microsoft explained, “by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which block the present attack.”
This isn’t the first time Microsoft Office protocol schemes like “ms-msdt:” have been scrutinized for potential abuse. Earlier last month, German cybersecurity firm SySS revealed how to open files directly using carefully constructed URLs like “ms-excel:ofv|u|https://192.168.1.10/poc[.]xls.”
Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. Microsoft has released workarounds for an Office vulnerability that is being actively exploited.