Remote Code Execution in Microsoft Office Products for Windows

Posted on May 30, 2022 in End-User Applications

Summary

A remote code execution vulnerability, dubbed 'Follina', has been found in Microsoft Office via Microsoft Support Diagnostic Tool (MSDT). This issue can be exploited in the default configuration on Windows, and only requires the user be tricked into downloading a malicious file. There is no patch. This issue has been assigned a bug alert severity of 'high'.

Details

On Monday, May 30th, 2022, security researcher Kevin Beaumont published a blog post detailing an exploit, 'Follina', that had been discovered three days prior and discussed at length on Twitter. This exploit abuses the template retrieval mechanism in Microsoft Office installations on Microsoft Windows systems to initiate arbitrary code, using a vulnerability in Microsoft Support Diagnostic Tool (MSDT). On May 30th, 2022, Microsoft acknowledged this issue and workarounds are available, but there is no patch. This exploit has been actively used against Russia-based targets for over a month.

Exploit code is widely available online, and weaponization of this vulnerability by groups other than the original authors is likely already underway. While awaiting patches from Microsoft, the best course of action is to monitor for use of this exploit, provide user education and implement workarounds. Signatures for various detection tools have been made available and are linked from Kevin Beaumont's post. Microsoft has also released detections for Microsoft Defender. This post will be updated as information becomes available.

This vulnerability has been assigned CVE-2022-30190.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $50 USD to send. If you would like to support the project, you can learn more here.


Additional vulnerability discussion can be found on GitHub.
Have information to contribute? Make a pull request!