Cato Protects Against Microsoft Office Follina Exploits

Cybersecurity researchers are lighting up Twitter with a zero-day flaw in Microsoft Office enabling attackers to execute arbitrary code on targeted Windows systems.

Earlier today Microsoft issued CVE-2022-30190 that describes the remote code execution (RCE) vulnerability within Office. It can be exploited when the Microsoft Support Diagnostic Tool (MSDT) is called using by a URL from a calling application such as Word.

An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

The vulnerability was discovered by nao_sec, the independent cybersecurity research team, who found a Word document (“05-2022-0438.doc“) uploaded to VirusTotal from an IP address in Belarus. The Microsoft post explained how to create the payload and various work arounds.

Describing the vulnerability, nao_sec writes on Twitter, “It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.” The Hackernews quotes security researcher Kevin Beaumont, saying that “the maldoc leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload.”

Beaumont has dubbed the flaw “Follina,” because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.

Cato Immediately Protects Users Worldwide

Within hours of Microsoft’s reporting, Cato researchers were already working on implementing protections for Cato customers worldwide. Already, Cato’s multilayered security defense fully protected Cato-connected users. While no further action is needed, Cato customers are advised to patch any affected systems.

There are currently three ways attackers can exploit this attack:

• Users can download a file or application containing the payload that will invoke the MSDT locally.
• Users can download a file or application containing the payload that will get the invocation from the Internet (from the attacker’s sites)
• User’s browser receives the payload in the response to direction from a malicious site, runs MSDT.

All three approaches are already blocked using the Cato Advanced Threat Prevention (ATP) capabilities. Cato’s anti-malware inspects and will block downloading of files or applications with the necessary payload to execute Follina. Cato IPS will detect and prevent any invocation from across the network or the Internet.
As we have witnessed with Log4j, vulnerabilities such as these can take organizations a very long time to patch. Log4j exploitations are still observed to this day, six months after its initial disclosure. With Cato, enterprises no longer see the delays from patching and are protected in record time.

Demonstration of Attack Exploiting CVE-2022-30190