Security Advisory - New MS Office Zero Day dodges Defender
Updated: Oct 12
The 'Follina exploit' is a vulnerability that allows malware to be loaded from remote sites.
According to security researchers, malware authors are exploiting a vulnerability in Microsoft Office that allows them to fetch malicious code without being detected in a multi-stage attack.
Follina, as dubbed by researcher Kevin Beaumont, takes advantage of Microsoft Word's remote template functionality.
The zero day was first reported by Japanese security provider Nao Sec, which claimed it was supplied from Belarus.
The zero-day exploit hidden in a Word document initially loads a hypertext markup language (HTML) file from a remote webserver, according to Nao Sec.
It then executes Windows PowerShell code using the MSDT diagnostics tool handler, which is registered for the MS Office protocol.
The vulnerability, according to Beaumont, works even if Office macros, which are commonly used to run malware, are deactivated.
Follina is now undetected by Microsoft's Defender for Endpoint, and Beaumont was able to validate that the vulnerability works on Office 2013 and 2016.
Didier Stevens, another researcher, was able to get the Follina MSDT attack to run on a fully patched version of Office 2021.
Beaumont stated he couldn't get the exploit to operate with Office Current and Insider preview versions.
He concluded that either Microsoft corrected the vulnerability in May of this year, or he was "too much of an idiot" to exploit the problem in the most recent Office versions.
Users with an Office E5 licence can create a Defender for Endpoint inquiry to receive notifications about the exploit, which is currently undetectable by anti-malware software.
Security vendor SySS disclosed how MS Office protocol handlers may be abused to open files directly using specially designed uniform resource location links earlier this year.
According to Matthias Zöllner of SySS, a regular installation of MS Office installs 86 such handlers, opening up plausible misuse situations for attackers without the need to attach infected documents to phishing emails.
Only open doc / ppt / excel and other office files from known trusted sources.