Microsoft releases workarounds in order to mitigate zero-day vulnerability detected in Microsoft Word doc tracked as "05-2022-0438.doc" exploited in the wild...

Continue reading
Security researcher alarmingly notifies everyone who manages a Microsoft Windows environment about a zero-day vulnerability in Microsoft Office that's being actively exploited to run arbitrary code execution on a compromised system.
Traces of the detected vulnerability first surfaced publicly last Friday, when the Japan-based "nao_sec" cybersecurity research team flagged a malicious MS Word document tracked as (“05-2022-0438.doc”) uploaded to VirusTotal from an IP address in Belarus.

According to nao-sec, the vulnerability _" uses Word's external link to load HTML and subsequently the `ms-msdt` technique to execute PowerShell code."_
The Microsoft Support Diagnostics Tool, or MSDT, is a Windows tool designed to obtain information for analysis by Microsoft support employees in order to assist with problem resolution.
Kevin Beaumont, a security researcher, determined after examining the attack that the exploit chain permits an attacker to leverage MSDT to execute arbitrary PowerShell code on a system, which they may then use to download and execute malicious code.
The exploit could be triggered in several ways, including through "a hover-preview of a downloaded file that does not need clicks" in Windows Explorer's preview window, according to a blog post by John Hammond, a senior security researcher at Huntress.
Jake Williams, director of threat intelligence at Scythe, tweeted, _"I've validated that it works on my test systems and is trivially exploitable. I apologize for interrupting your Memorial Day holiday."_
All of this "should not be possible," Gossi writes in a blog post because Office has Protected View, a read-only mode that disables most editing functions and is supposed to prevent weaponized Office documents from activating.
The name "Follina" refers to the numerical string "0438," which is part of the name of the malicious file uploaded to VirusTotal and also the telephone area code for the Italian municipality of Follina, located northwest of Venice.
How does the attack function? Gossi writes in his blog post, _"A lot is going on here, but the first issue is that Microsoft Word executes the code via MSDT, a support tool, even when macros are deactivated. Protected View is activated; but, if you convert the document to RTF format, it will run without even accessing the document - via the preview tab in Explorer, let alone Protected View."_
_"This is a novel initial access strategy that allows code execution to threat actors with a single click or less,"_ Hammond of Huntress writes on his blog. _"This is a tempting attack for adversaries. It is concealed within a Microsoft Word document without macros to elicit user-familiar warnings, but with the ability to execute code hosted remotely."_

Researchers have discovered that the vulnerability has been exploited since at least April. According to gossip, documents exploiting the vulnerability pretended to offer users a radio appearance with the Russian state-run news agency Sputnik.
The vulnerability appears to exist and be exploitable in Office 2013, Office 2016, Office 2019, and Office 2021 at minimum. However, according to Gossi, it may not work in subsequent beta versions of Office, signaling that Microsoft is aware of the issue and is preparing and distributing remedies. Microsoft did not respond to a request for comment immediately.
*Do Not Panic!*
In the absence of an official remedy or mitigating recommendations, Beaumont expresses caution. He comments, "I've seen individuals propose bizarre solutions to this problem." "Don't panic; see what Microsoft has to say. It is not currently being exploited on a large scale."
To combat the vulnerability until Microsoft releases updates, however, Gossi's blog post contains a query meant to identify efforts to exploit the vulnerability, which Defender for Endpoint users can install as a _"custom detection rule."_
Christiaan Beek, a lead threat research scientist at endpoint security provider Trelix, has published on GitHub a custom detection that may be used to block these types of malicious Office documents.
Huntress Hammond has also outlined possible mitigations, such as removing Office files' association with MSDT via the Windows Registry so that anyone seeking to exploit the vulnerability will be unable to do so.
According to Sycthe's Williams, companies would do well to comprehend the potential threat posed by this risk and whether or not they would be able to recreate how an attack occurred if exploited.
Williams tweets, _"You need probably conduct some detection engineering in your environment to determine how and where msdt.exe is used (e.g., which processes are its parents)."_ _"Also, the maldoc utilizes mpsigstub.exe, a Defender executable frequently banned from logging."_
Meanwhile, Microsoft came up with a workaround against the newly detected Zero-Day vulnerability, which was assigned as CVE-2022-30190, with a severity waiting of 7.8 out of 10 on the CVSS vulnerability scoring system. According to their publication for the customer protection assistance with resources, the affected Microsoft Office versions including Office 2013, Office 2016, Office 2019, and Office 2021, and Professional Plus editions were found to be vulnerable in this context.

Crazyman, a member of the Shadow Chaser Group, was credited with reporting the vulnerability on April 12, coinciding with the discovery of the in-the-wild exploit targeting Russian users, indicating that the corporation was already aware of the weakness.
According to screenshots released on Twitter by the researcher, Microsoft closed the report on April 21, 2022, writing _" the issue has been fixed"_ and dismissed the hole as "not a security issue" because it requires a passkey provided by a support professional when initiating the diagnostic tool.
Additionally, with the release of detection rules for Microsoft Defender for Endpoint, Redmond has provided remedies to block the MSDT URL protocol via a Windows Registry update.
_"If the calling program is a Microsoft Office application, Microsoft Office by default opens Internet-sourced documents in Protected View or Application Guard for Office, both of which block the present attack,"_ Microsoft explained.
Not for the first time have Microsoft Office protocol schemes such as "ms-msdt:" been scrutinized for their potential for abuse. SySS, a German cybersecurity firm, discovered in January that it is feasible to access files directly using specially crafted URLs such as "ms-excel:ofv|u|https://192.168.1.10/poc[.xls]."

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.