Take precautions now!
A security researcher has discovered a zero-day vulnerability in Microsoft Office that currently makes it particularly easy for hackers to infect systems with malware via a DOC file. We summarize what Office users need to be aware of and how you can protect yourself from "Follina.".
Microsoft has now confirmed the threat under CVE-2022-30190.
How does the current vulnerability work?
- Users open a DOC file containing hidden malware, which they received, for example, via email.
- The document references a normal-looking https URL that is downloaded.
- This https URL points to an HTML file that contains JavaScript code.
- The JavaScript, in turn, points to a URL with the unusual identifier ms-msdt: instead of https:. On Windows, ms-msdt: is a proprietary URL type that launches the MSDT software toolkit (MSDT – Microsoft Support Diagnostic Tool).
- The command line submitted to the MSDT via URL results in the execution of untrusted code.
What needs to be done?
Microsoft already has a official workaround It has been released and will hopefully soon provide a permanent patch. As convenient as Microsoft's proprietary ms-xxxx URLs may be, the fact that they are designed to automatically start processes when certain file types are opened or even just previewed is clearly a security risk.
How can I protect myself?
Endpoint protection products (e.g., from Sophos, NetworkBox, or ESET) detect and block known attacks using this exploit, known as Troj/DocDl-AGDX. This detection name can be used to scan logs for both the DOC files that trigger the initial download and the subsequent "second-stage" HTML files. Email and web filtering products intercept attack files of this type, such as CXmail/OleDl-AG.
Please raise awareness among your customers! As is so often the case: Think before you click!
Use appropriate services, such as Managed Firewall or Managed Endpoint Protection.
Important information via email
To ensure you stay up-to-date even during critical events, we recommend subscribing to our blog. All important information will then land directly in your inbox.