HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled

Microsoft has issued a security advisory and has provided workaround to prevent a zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) from being exploited.

The vulnerability is tracked as CVE-2022-30190 and has been dubbed Follina by security researchers. According to Microsoft, “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.”

Over the weekend, security researcher nao_sec found a Word document that was leveraging remote templates to execute PowerShell commands on targeted systems via the MS-MSDT URL protocol scheme. In a recent blog post, security researcher Kevin Beaumont said the documents are not being detected as malicious by Microsoft Defender and detection by antivirus solutions is poor as the documents used to exploit the vulnerability do not contain any malicious code. Instead, they leverage remote templates to download an HTML file from a remote server, which allows an attacker to run malicious PowerShell commands.

Most email attacks that use attachments for malware delivery require macros to be enabled; however, the vulnerability can be exploited even with macros disabled. The vulnerability is exploited when the attached file is opened. Beaumont also showed that zero-click exploitation is possible if an RTF file is used, as the flaw can be exploited without opening the document via the preview tab in Explorer.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Microsoft said if an attacker successfully exploits the vulnerability, malicious code can be run with the privileges of the calling application. It would allow an attacker to install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The vulnerability can be exploited in all Office versions since 2013, including the current version of Office 365.

The vulnerability was initially reported to Microsoft in April and the flaw was assigned a CVSS score of 7.8 out of 10 (high severity), as Microsoft did not consider the Follina vulnerability to be critical. Microsoft has now issued a workaround and guidance that involves disabling the MSDT URL Protocol until a patch is released. Immediate action is required to prevent the vulnerability from being exploited. Vulnerabilities that can be exploited via Office are rapidly adopted by threat actors, especially when they can be exploited with macros disabled. 0Patch has released free micropatches that address the Folina vulnerability, which can be applied in the interim until Microsoft releases an update.

Multiple threat actors are known to be exploiting the flaw, including the Chinese threat actor TA413, according to Proofpoint. According to Palo Alto Networks Unit 42 team, “Based on the amount of publicly available information, the ease of use, and the extreme effectiveness of this exploit, Palo Alto Networks highly recommends following Microsoft’s guidance to protect your enterprise until a patch is issued to fix the problem.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.