It is a bit of a coincidence that the new security flaw “Follina” within Word has just been discovered. Its effects could be devastating if Microsoft does not act quickly, especially since it is almost undetectable by any security software.
A new flaw in Word has just been updated: by opening a simple document using the office application, it is possible to execute PowerShell commands via Microsoft Support Diagnostic Tool (MSDT). baptized Follina, this flaw directly attacks Microsoft Office applications, but does not require any particular administrative rights on the machine. The worst part is that it does not require any macros to launch and remains undetectable by an antivirus like Windows Defender.
The flaw was reportedly discovered and reported to Microsoft in April 2022. The Redmond giant would have rejected it, however. arguing that this is not a security issue and that its developers were unable to replicate the exploit. The vulnerability was however analyzed by various security experts, who managed to exploit it within multiple versions of Office. Thus, it is the Office editions of 2013, 2016, Office Pro Plus and 2021 that are affected.
Read also: Windows – a critical flaw seriously endangers Office applications
This Word flaw allows malicious code to be launched in the nose and under the beard of the antivirus
It is a security researcher responding to the pseudonym of nao_sec who discovered the malware in question a few days ago while searching for files on VirusTotal which exploited another flaw (CVE-2021-40444). That’s how he came across a malicious Word document, which uses an external link from Word to load HTML code, then launches PowerShell code using the Microsoft Support Diagnostic Tool (MSDT). Another security researcher, Kevin Beaumont, explains on his blog that the command suite launches MSDT no matter what, even when macro execution is disabled in Word.
According to the researchers, an attacker would be able to exploit this flaw to recover data on the victim’s computer, including hashes of passwords. Although Word alerts the user to an attempt to execute malicious code, the problem can be easily circumvented by changing the file extension to .RTF. Therefore, it is possible to execute the malicious code without the user opening the file using the Microsoft office application, provided that he has activated the Explorer preview function.
The detection of such a flaw is all the more difficult that the malicious code is loaded remotely. The Word document itself does not include any malware, so it cannot be categorized as a threat. Researchers from the Huntress site advise to activate the function “Prevent all Office applications from creating child processes”, as explained on the Microsoft site. Another researcher explains that it is also sufficient to remove the file association for MS-MSDT, so that Microsoft Office does not run this tool on its own.