On May 27, a new zero day critical vulnerability called Follina was discovered by the nao_sec security research team. The vulnerability resides in malicious word documents that abuse Microsoft Support Diagnostic Tool (ms-msdt) in order to execute commands.
A successful exploitation requires the attacker to craft a malicious Word document which contains a reference to a remote HTML file. The HTML file itself contains a script that spawns an ms-msdt process.
When a user opens the word file or opens the file in the preview pane, the malicious document will execute commands on the victim’s machine.
Is there a risk?
As revealed in our annual Attack Path Management Impact report, 78% of businesses can potentially be compromised whenever a new RCE (Remote Code Execution) technique is found. The new emerging zero day demonstrates why it is so important to harden and improve the security posture in your organization. XM Cyber can help customers understand the hidden attack paths from any possible RCE to business critical assets.
Given the widespread use of Microsoft Office products, the RCE vulnerability which allows attackers to execute code on the target systems could potentially cause significant harm to any organization.
Even though there is no patch by Microsoft, the impact may be high and grants attackers the ability to get initial access or move laterally in the organization’s environment.
Microsoft so far has released a workaround which disables MSDT URL protocol troubleshooter being launched.
There are lots of out of the box public proof of concepts for this exploit which increase the severity of being attacked by this vulnerability.
Who is affected?
According to Microsoft all windows machines running office considered vulnerable
What should you do?
- Identify all machines that are using a vulnerable Office version
- Unregister ms-msdt protocol via group policy
- Create a new registry GPP entry in the section User Configuration > Preferences > Windows Settings > Registry
- Use the **Registry Browser** to select a parameter or key
- Expand the registry key in the GPO console. Open the parameter properties, and change the Action to **Delete**
- Save the Changes
- Unregister ms-msdt protocol – on specific machine
- Open Registry Editor
- Navigate to : Computer\HKEY_CLASSES_ROOT\ms-msdt
- Delete the registry key, this can also be done by running the following command:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
- Disable troubleshooting via registry(this method can be done using group policy, on a similar way shared above)
- Open Registry Editor
- Navigate to : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics:EnableDiagnostics
- Set ScriptedDiagnostics value to 0
- Disable preview pane via group policy
- Open Group Policy Editor
- Navigate towards: User Configuration > Administrative Templates > Windows Components > File Explorer > Explorer Frame Pane
- Open Turn off Preview Pane setting
- Select the Enabled Button
Unregistering MSDT protocol, doesn’t mean troubleshooting isn’t possible. Organizations can still perform troubleshooting by using Get Help and system settings as additional troubleshooters.
Identifying Follina Zero day with XM Cyber
XM Cyber’s Attack Path Management platform can prioritize and remediate choke points leading from the Follina possible exploits to the critical assets, breaking the possible attack vector – whether there is no direct patch or remediation for the zero day itself.
Similar to other vulnerabilities, organizations lack context and visibility of which machines are at risk and which users could be exploited, which makes it very hard to know what to tackle first and how.
We are proactively approaching customers to share the findings and vulnerable endpoints.
The XM Cyber Research team is continuously analyzing the impact of the new zero day vulnerability. As this situation is moving fast we will continue to analyze the attack path management platform and to provide best practices and prioritized remediation guidance when available in this blog.
The XM Cyber Research team will continue updating this blog advisory as more details emerge and a relevant patch is provided.