threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
Submitted URL: https://click.email.sans.org/?qs=a59f57753742095dea1d84b2160e36feda36390313db8370b1ee3999937b452f22a3021dc21a2e00212003429003...
Effective URL: https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/
Submission Tags: falconsandbox
Submission: On June 02 via api from US — Scanned from DE
Effective URL: https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/
Submission Tags: falconsandbox
Submission: On June 02 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1654182955737">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="179756" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="54616ce4fd"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="IXHKwdjz4aKC8exgvZkBHBXYP" name="VgPqEFeTpQVgnDmMHYXAo7PLj">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="1654182955745">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Critical Flaws in Popular ICS Platform Can Trigger RCEPrevious article
* ChromeLoader Browser Hijacker Provides Gateway to Bigger ThreatsNext article
ZERO-DAY ‘FOLLINA’ BUG LAYS MICROSOFT OFFICE OPEN TO ATTACK
Author: Sagar Tiwari
May 30, 2022 10:53 am
2 minute read
Write a comment
Share this article:
*
*
Malware loads itself from remote servers and bypasses Microsoft’s Defender AV
scanner, according to reports.
UPDATE
A zero-day vulnerability in Microsoft Office allows adversaries to run malicious
code on targeted systems via a flaw a remote Word template feature.
The warning comes from Japanese security vendor Nao Sec, which tweeted a warning
about the zero day over the weekend.
Noted security researcher Kevin Beaumont dubbed the vulnerability “Follina”,
explaining the zero day code references the Italy-based area code of Follina –
0438.
Beaumont said the flaw is abusing the remote template feature in Microsoft Word
and is not dependent on a typical macro-based exploit path, common within
Office-based attacks. According to Nao Sec, a live sample of the bug was found
in a Word document template and links to an internet protocol (IP) address in
the Republic of Belarus.
It’s unclear if the zero-day bug has been actively leveraged by adversaries. A
proof-of-concept code exists, which demonstrate that versions of Office ranging
from 2003 to the current build are vulnerable to attack. Meanwhile, security
researchers say users can follow Microsoft Attack Surface Reduction measures to
mitigate risk, in lieu of a patch.
WORKING OF FOLLINA
Nao Sec researchers explain the path to infection includes the malicious
template loading an exploit via a hypertext markup language (HTML) file from a
remote server.
The loaded HTML uses the “ms-msdt” MSProtocol URI scheme to load and execute a
snippet of PowerShell code.
“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’
scheme to execute PowerShell code,” as reported by Nao Sec.
The MSDT stands for the Microsoft Support Diagnostic Tool and collects
information and reports to Microsoft Support. This troubleshooting wizard will
analyze the gathered info and attempt to find a resolution to hiccups
experienced by the user.
Beaumont found that the flaw allows the code to run via MSDT, “even if macros
are disabled”.
“Protected View does kick in, although if you change the document to RTF form,
it runs without even opening the document (via the preview tab in Explorer) let
alone Protected View,” further explained by Beaumont.
Beaumont confirmed that the exploit is currently affecting the older versions of
Microsoft Office 2013 and 2016 and the endpoint detection “missed execution” of
malware. Additional research revealed the vulnerability impacts even the most
recent version of Microsoft Office.
Another security researcher Didier Stevens said he exploited the Follina bug on
a fully patched version of Office 2021, and John Hammond a cybersecurity
researcher tweeted the working proof of Follina.
Microsoft users with E5 licenses can detect the exploit by appending the
endpoint query to Defender. Additionally, Warren suggests using the Attack
Surface Reduction (ASR) rules to block the office applications from creating
child processes.
(EDITOR’S NOTE: This story was updated 5/31 at 7:50 a.m. to reflect that more
recent versions of Office are impacted by this bug)
Write a comment
Share this article:
* Malware
* Vulnerabilities
SUGGESTED ARTICLES
THE CHALLENGE DIGITAL EXECUTIVE PROTECTION POSES TO ENTERPRISE SECURITY TEAMS
CISOs do heroic work protecting their executives when inside the organization’s
four walls. But risks originating in personal digital lives present a challenge
that enterprise security teams cannot solve, even if they wanted to.
June 2, 2022
SCAMMERS TARGET NFT DISCORD CHANNEL
Hackers escalate phishing and scamming attacks to exploit popular Discord bot
and persuade users to click on the malicious links.
June 2, 2022
INTERNATIONAL AUTHORITIES TAKE DOWN FLUBOT MALWARE NETWORK
The info-stealing trojan used SMS messages and lifted contact credentials to
spread with unprecedented speed across Android devices globally since December
2020.
June 2, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* CYBERCRIMINALS EXPAND ATTACK RADIUS AND RANSOMWARE PAIN POINTS
June 2, 2022
* ZERO TRUST FOR DATA HELPS ENTERPRISES DETECT, RESPOND AND RECOVER FROM
BREACHES
May 23, 2022
* CLOSING THE GAP BETWEEN APPLICATION SECURITY AND OBSERVABILITY
May 20, 2022
* YOU CAN’T ELIMINATE CYBERATTACKS, SO FOCUS ON REDUCING THE BLAST RADIUS
May 12, 2022
* CANS REINVENT LANS FOR AN ALL-LOCAL WORLD
May 5, 2022
1
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
2022’s DBIR also highlighted the far-reaching impact of supply-chain breaches
and how organizations and their emplo… https://t.co/u4ebGrgcc1
17 hours ago
NEXT 00:02 01:27 360p 720p HD 1080p HD Auto (360p) About Connatix V164828 Closed
Captions About Connatix V164828
1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Elizabeth Montalbano
* Nate Nelson
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications