Researchers Reveal 'Follina' Zero-Day Vulnerability in Microsoft Office

pcmag.com:

Researchers have publicly revealed a zero-day vulnerability in Microsoft Office that can be exploited using malicious Word documents to enable code execution on a victim's system.

The vulnerability was initially disclosed by @nao_sec via Twitter on May 27:

"The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell," researcher Kevin Beaumont explains(Opens in a new window). "That should not be possible."

Beaumont reports that attackers can exploit this vulnerability, which he's dubbed "Follina," even if Office macros are disabled. Office 2013, 2016, 2019, 2021, and some versions of Office included with a Microsoft 365 license are subject to this vulnerability on both Windows 10 and Windows 11.

Huntress Labs CEO Kyle Hanslovan has shared a proof of concept using a Rich Text File to exploit this vulnerability from the preview pane in Windows 11's File Explorer:

All of which means this vulnerability provides a way to execute code on a target system with one click—or, as Hanslovan demonstrates, just by previewing the malicious document—using support tools (ms-msdt) and system administration tools (PowerShell) pre-installed on Windows.

Twitter user @crazyman_army says(Opens in a new window) they disclosed this vulnerability to Microsoft on April 12, but the company reportedly decided(Opens in a new window) it wasn't a security issue on April 21.

Beaumont says "Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere," sometime in May.

Huntress Labs says(Opens in a new window) it expects