New MS Office Zero Day Evades Defender

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Thank you. But for Follina having Powershell in Contrained Language Mode we are safe correct?

Yes. Follina is completely blocked by CLM because before executing the PowerShell code from the HTML script, the sdiagnhost.exe application executes the PowerShell script: ‘C:\Windows\diagnostics\system\PCW\RS_ProgramCompatibilityWizard.ps1
which is blocked by CLM.
So, even the PowerShell code in the HTML script would not use advanced functions, the attack will fail.

This PS CL Mode Bypass, posted in "another forum" looks interesting:


I'm assuming, hopefully correctly, that selecting InstallUtil.exe under SRP Blocked sponsors would stop this.

The bypass is useful when the attacker first executes the loader bypass-clm.exe which is a kind of fake PowerShell, and next from this fake PowerShell executes attacking tools written for PowerShell.
But, this will not work with Follina exploit. Simply, the ms-msdt will not use bypass-clm.exe.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
The bypass is useful when the attacker first executes the loader bypass-clm.exe which is a kind of fake PowerShell, and next from this fake PowerShell executes attacking tools written for PowerShell.
But, this will not work with Follina exploit. Simply, the ms-msdt will not use bypass-clm.exe.

Thank you. How could this particular Bypass be mitigated, at least by a home user? Sorry, I just can't picture the exploit chain from beginning to end :(
 
  • Like
Reactions: Trooper

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Thank you. How could this particular Bypass be mitigated, at least by a home user? Sorry, I just can't picture the exploit chain from beginning to end :(
https://malwaretips.com/threads/simple-windows-hardening.102265/post-992545

There are two simple mitigations. Each one can block Follina.
  1. Untick in Word the option "Update automatic links at open" and do not use the Explorer preview feature.
  2. Use the Windows Policy that blocks executing PowerShell scripts.
The first option can also prevent many other threats that use the remote template feature of MS Office via embedded links.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
@Andy Ful

thank you again for setting the record straight. I didn't know you posted in the SWH thread within the hour. Very nice (y)

I disabled "Update automatic links at open" in both Word and Excel :)
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
An interesting Follina exploit used to push Qakbot malware:


The shortcut uses Rundll32.exe to run the hidden dll file for Qakbot. I guess the dll file would not be hidden from view if the File explorer option to display hidden files is enabled?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
An interesting Follina exploit used to push Qakbot malware:


The shortcut uses Rundll32.exe to run the hidden dll file for Qakbot. I guess the dll file would not be hidden from view if the File explorer option to display hidden files is enabled?
Yes for hidden attribute and No for system attribute. You can view the files with system attributes as follows:

1654984710247.png


This will display the "Folder options".
  • Select the View tab. In Advanced settings,
  • select Show hidden files, folders, and drives.
  • Select Ok.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
Yes for hidden attribute and No for system attribute. You can view the files with system attributes as follows:

...............

This will display the "Folder options".
  • Select the View tab. In Advanced settings,
  • select Show hidden files, folders, and drives.
  • Select Ok.

Yup, always one of the first things I do after installing Windows, as well as unchecking both "Hide extensions for known file types" and "Hide protected operating system files" .
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Microsoft patches actively exploited Follina Windows zero-day
Microsoft has released security updates with the June 2022 cumulative Windows Updates to address a critical Windows zero-day vulnerability known as Follina and actively exploited in ongoing attacks.

"Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action," Microsoft said in an update to the original advisory.

"Microsoft recommends installing the updates as soon as possible," the company further urged customers in a post on the Microsoft Security Response Center.

Tracked as CVE-2022-3019, the security flaw is described by Redmond as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug that affects all Windows versions still receiving security updates (i.e., Windows 7+ and Server 2008+).

Attackers who successfully exploit this zero-day can execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, and even create new Windows accounts as allowed by the compromised user's rights.

As security researcher nao_sec found, Follina exploits allow threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents.

While applying today's updates does not prevent Microsoft Office from automatically loading Windows protocol URI handlers without user interaction, it blocks PowerShell injection and disables this attack vector.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The tweet is a warning for administrators in Enterprises who sometimes use this policy - such policies are known to weaken the system protection, so they must be used with caution. Although I've seen somewhere (not on MT) a suggestion that it is a patch bypass, in fact, it is not exactly the bypass. It is rather a suggestion that restrictions of the Microsoft diagnostic functions can be sometimes troublesome, so administrators could set a policy to avoid this. The cons are that Follina exploits (and probably some others) will work with this policy enabled, so the possible exploits has to be mitigated in another way. Furthermore, this policy can be applied temporarily when some advanced diagnostic is necessary.

In the attacks on most computers, the Follina exploit is used with standard privileges and changing this policy requires high privileges. When the malware has got high privileges, then Follina exploit is not needed - the attacker has already gained much more.

Post edited
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top