Threat Response – Zero-day vulnerability in Microsoft Office

31-05-2022

A SAFE DIGITAL JOURNEY

Dear reader,

On Monday May 30th, a vulnerability in Word remote template was made public (CVE-2022-30190) [1][6]. This vulnerability potentially allows attackers to execute code when opening an Office document. It is also possible in certain circumstances to run code without opening the document. Currently there is no patch or official mitigation available.

There is no patch available for office that can prevent this abuse of the office remote template.

Currently the vulnerability is not yet widely exploited. However, this may change in the future. Actual attacks abusing the vulnerability have already been observed.

Risk

The vulnerability is currently not yet exploited on large scale. However, it is trivial to make use of the exploit and the exploit code is publicly available. Additionally, targeted attacks have been observed. For this reason we estimate the risk as high.

Impact

Successful exploitation of this vulnerability could allow an attacker to remotely execute code or elevate their privileges. This zero-day vulnerability is actively exploited by attackers. For this reason we estimate the impact as high.

Mitigation

There are currently two possible mitigations available [5]:

  • Temporarily disable the ms-msdt protocol handler [3] (until a definitive patch becomes available). It is possible that certain functionality of other windows applications will not function properly disabling the handler.
  • Disable Office applications from spawning child processes [4]:
    • Set-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled
    • This only works if you have Microsoft Defender for Endpoint or a valid Microsoft E3 license

What should you do?

Make sure the listed mitigations are implemented in your Windows environment. You should furthermore be extra alert for unexpected Office files. You should not open these files, not even in preview mode.

What will Northwave do?

For customers with EDRS based on Defender on Endpoint we have retroactively checked potential exploit attempts in the past 30 days. For customers with EDRS based on ESET we are currently checking their environments.

Northwave will monitor developments around these vulnerabilities. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909
Disclaimer applies, see below.

Sources

[1]: https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

[2]: twitter.com/nao_sec/status/1530196847679401984

[3]: twitter.com/MalwareJake/status/1531022209011048450

[4]: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide

[5]: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

[6]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.