Dubbed Follina, the bug is quite serious as it could allow hackers to take complete control over any Windows system just by sending a modified Microsoft Office document. In some cases, people don’t even have to open the file, as the Windows file preview is enough to trigger the nasty bits. Notably, Microsoft has acknowledged the bug but hasn’t yet released an official fix to nullify it. “This vulnerability should still be at the top of the list of things to worry about,” Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute, wrote in the SANS weekly newsletter. “While anti-malware vendors are quickly updating signatures, they are inadequate to protect against the wide range of exploits that may take advantage of this vulnerability.”
Preview to Compromise
The threat was first spotted by Japanese security researchers towards the end of May courtesy of a malicious Word document. Security researcher Kevin Beaumont unfolded the vulnerability and discovered the .doc file loaded a spurious piece of HTML code, which then calls on the Microsoft Diagnostics Tool to execute a PowerShell code, which in turn runs the malicious payload. Windows uses the Microsoft Diagnostic Tool (MSDT) to collect and send diagnostic information when something goes wrong with the operating system. Apps call the tool using the special MSDT URL protocol (ms-msdt://), which Follina aims to exploit. “This exploit is a mountain of exploits stacked on top of each other. However, it is unfortunately easy to re-create and cannot be detected by anti-virus,” wrote security advocates on Twitter. In an email discussion with Lifewire, Nikolas Cemerikic, Cyber Security Engineer at Immersive Labs, explained that Follina is unique. It doesn’t take the usual route of misusing office macros, which is why it can even wreak havoc for people who have disabled macros. “For many years, email phishing, combined with malicious Word documents, has been the most effective way to gain access to a user’s system,” pointed out Cemerikic. “The risk now is heightened by the Follina attack, as the victim only needs to open a document, or in some cases, view a preview of the document via the Windows preview pane, while removing the need to approve security warnings.” Microsoft was quick to put out some remediation steps to mitigate the risks posed by Follina. “The mitigations that are available are messy workarounds that the industry hasn’t had time to study the impact of,” wrote John Hammond, a senior security researcher at Huntress, in the company’s deep dive blog on the bug. “They involve changing settings in the Windows Registry, which is serious business because an incorrect Registry entry could brick your machine.” While Microsoft hasn’t released an official patch to fix the issue, there’s an unofficial one from the 0patch project. Talking through the fix, Mitja Kolsek, co-founder of the 0patch project, wrote that while it’d be simple to disable the Microsoft Diagnostic tool altogether or to codify Microsoft’s remediation steps into a patch, the project went for a different approach as both these approaches would negatively impact the performance of the Diagnostic Tool.
It’s Just Begun
Cybersecurity vendors have already started seeing the flaw being actively exploited against some high-profile targets in the US and Europe. Although all current exploits in the wild seem to use Office documents, Follina can be abused through other attack vectors, explained Cemerikic. Explaining why he believed that Follina isn’t going to go away any time soon, Cemerikic said that, as with any major exploit or vulnerability, hackers eventually start developing and releasing tools to aid exploitation efforts. This essentially turns these rather complex exploits into point-and-click attacks. “Attackers no longer need to understand how the attack works or chain together a series of vulnerabilities, all they need to do is click ‘run’ on a tool,” said Cemerikic. He argued that this is exactly what the cybersecurity community has witnessed over the past week, with a very serious exploit being put into the hands of less capable or uneducated attackers and script kiddies. “As time progresses, the more these tools become available, the more Follina will be used as a method of malware delivery to compromise target machines,” warned Cemerikic, urging people to patch their Windows machines without delay.
