Attackers can use specially crafted Word documents to inject and execute any malicious code. However, the real problem is not in Microsoft Office, but in a Windows component.
A vulnerability with the nickname “Follina” has been known since the beginning of the week, with the help of which Microsoft Office can be misused to smuggle in malware. A researcher has discovered a specially prepared Word file on VirusTotal, which appears to have been uploaded from Belarus (Belarus). Microsoft has since confirmed the vulnerability and has made recommendations to protect against attacks.
According to Microsoft, the actual vulnerability ( CVE-2022-30190 ) is in the “Microsoft Support Diagnostic Tool (MSDT)” software, i.e. in Windows. Vulnerable versions of Office use this tool to ultimately execute a file download instruction contained in the crafted document. The MSDT acts here as a so-called URL handler. Macros do not need to be enabled in Office. Depending on the Office version, the “protected view” that is active by default prevents the problematic statement from being executed, but users can easily disable this view. If you convert the DOC file into an RTF document, Office is no longer needed. Then the preview in Windows Explorer, which does not have a protected view, is sufficient.
Large-scale attacks that exploit the vulnerability have not yet been observed. But there are already isolated attacks and an increase in such attacks is probably only a matter of time. Microsoft has not yet released a security update that could plug the gap. But Microsoft gives some tips for preventive measures (“workarounds”), which are primarily aimed at IT managers in companies.
▶The latest security updates
These safeguards should help
The obvious idea is to disable the MSDT’s URL handler. The disadvantage here: problem solutions can no longer be opened as links. To take the precautionary measure anyway, open a text console (command prompt) with admin rights to first save a backup of the corresponding registry key to a file:
reg export HKEY_CLASSES_ROOTms-msdt dateiname
Instead of “filename” use something like “msdt-url.reg”. Then delete the key you just backed up:
reg delete HKEY_CLASSES_ROOTms-msdt /f
To restore functionality later, when a security update is available and installed, import the REG file created as a backup back into the Windows registry:
The standard Windows Defender (Microsoft Defender Antivirus, formerly: Windows Defender) should detect malicious code that tries to exploit the Follina vulnerability with new definitions from Build 1.367.719.0. The reported malware names are “Trojan:Win32/Mesdetty.A”, “Trojan:Win32/Mesdetty.B” and “Behavior:Win32/MesdettyLaunch.A!blk”. It is not yet known when Microsoft will provide a security update to fix the vulnerability.
