On May 30, 2022, security researchers identified a new zero-day flaw in Microsoft Office that could be used to run arbitrary code execution (ACE) on Windows systems. Dubbed “Follina” because the zero day code references 0438 – the area code of Follina in Italy – the flaw impacts all Windows versions still receiving security updates.
Japanese security vendor Nao Sec uncovered a Word document that was uploaded to VirusTotal from an IP address in Belarus. This document contained malicious code leveraging Word’s external link to retrieve an HTML file from a server, which then used the ‘ms-msdt’ scheme to run a malicious payload. MSDT, or Microsoft Diagnostic Support Tool, is an application that helps troubleshoot and collect diagnostic data for analysis. Tracked as CVE-2022-30190, the vulnerability has wide implications given the broad usage of Microsoft Office programs.
Chances are, if you have Microsoft Office, you’re vulnerable. Specific versions affected include: 2021, 2019, 2016 and 2013.
Nuspire is actively threat hunting internally and within client environments for indications of compromise. Additionally, Nuspire is patching against this threat.
Nuspire recommends you take the following actions: