A new vulnerability has been discovered that can allow a malicious document to run arbitrary code on a Windows computer.  Although the obvious attack vector is MS Office documents, Microsoft is describing this as a Windows Operating System vulnerability according to CVE-2022-30190.

A Word Document was found to be able to abuse the Microsoft Windows Support Diagnostic Tool MS-MSDT URI protocol scheme to run PowerShell code, by utilising an external link in Word to load malicious HTML. This is done by using the remote template feature to access the HTML on a remote server. The attack utilises obfuscated code which when run causes PowerShell to extract and execute a Base64 encoded file from an RAR file.

Usually when a Word Document is opened in Protected View, the user is alerted to potentially malicious documents or to unsafe source locations. However, because this flaw is not invoking an office macro or VBA code, Office did not prevent this remote code execution vulnerability from being exploited when the documents were previewed in Windows Explorer. This attack is possible even if Microsoft Word has macro scripts disabled.

This zero-day vulnerability is tracked as CVE-2022-30190, but is also being referred to as ‘Follina’. It allows the attacker to execute a variety of activities, including installing programs, viewing, changing, or deleting data, and creating new accounts. Although this was first detected in April, it was originally determined by Microsoft to not be a “security-related issue”. However, the vulnerability submission report now contradicts this with the admission that it is a remote code execution vulnerability.

Advice from Redmond suggests users can mitigate this attack by disabling the MSDT URL protocol. This is a temporary solution intended to help protect users until a patch is released by Microsoft, at which point this protocol should be safe to be re-enabled.