Security News > 2022 > May > Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild
Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.
According to security researcher Kevin Beaumont, who dubbed the flaw "Follina," the maldoc leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the "Ms-msdt://" URI scheme to run the malicious payload. MSDT is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.
"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt even if macros are disabled," Beaumont explained.
Multiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.
What's more, Richard Warren of NCC Group managed to demonstrate an exploit on Office Professional Pro with April 2022 running on an up-to-date Windows 11 machine with the preview pane enabled.
We have reached out to Microsoft for comment, and we'll update the story once we hear back.
News URL
https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html
Related news
- Microsoft Office 2024 now available for Windows and macOS users (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws (source)
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018 (source)
- Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes (source)
- Patch Tuesday for September 2024: Microsoft Catches Four Zero-Day Vulnerabilities (source)
- Adobe fixes Acrobat Reader zero-day with public PoC exploit (source)
- Adobe fixed Acrobat bug, neglected to mention whole zero-day exploit thing (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- Microsoft confirms IE bug squashed in Patch Tuesday was exploited zero-day (source)