June 6, 2022 –
“Zero-day” is a general phrase that is used to describe newly recognized security vulnerabilities that hackers can use to attack systems. The actual term “zero-day” indicates that the vendor or developer just recently learned of a weakness or flaw in the software and they have “zero days” to fix it.
About a month ago Microsoft’s security response center was notified of vulnerabilities in software that may be exploited via specific word documents. Microsoft then sent a protocol to manage the issue. However, it wasn’t until six days ago that this issue was in the spotlight when another security researcher finally spotted a malicious word document try to make an attempt to exploit the flaw.
How it Happened:
According to Darkreading.com publication & Seasoned Technology reporter of 20 years, Jai Vijayan,
The retrieved file in turn used the MS-MSDT URL protocol to load code for executing a PowerShell script. Beaumont discovered the document was executing code even with macros disabled. The security researcher found at least two other malicious Word documents in the wild attempting to exploit Follina going back to April.
Significantly, Beaumont and other researchers found that the attack technique allowed threat actors a way to bypass the “Protected View” mechanism in Office that alerts users about content downloaded from the Internet and requires an additional click from them to open. According to Malwarebytes, the warning can be bypassed simply by changing the document to a Rich Text Format (RTF) file. By doing so, code can run without the user even needed to open the document via the preview tab in Explorer, Malwarebytes said.
What to do:
Observe unauthorized activity, updated applications as required and stay up to date with threat advisories.
Follow Microsoft Security Response Center’s reference to disable MSDT URL protocol.