Security News > 2022 > May > Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild
Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.
According to security researcher Kevin Beaumont, who dubbed the flaw "Follina," the maldoc leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the "Ms-msdt://" URI scheme to run the malicious payload. MSDT is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.
"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt even if macros are disabled," Beaumont explained.
Multiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.
What's more, Richard Warren of NCC Group managed to demonstrate an exploit on Office Professional Pro with April 2022 running on an up-to-date Windows 11 machine with the preview pane enabled.
We have reached out to Microsoft for comment, and we'll update the story once we hear back.
News URL
https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Microsoft launches Zero Day Quest hacking event with $4 million in rewards (source)
- Microsoft announces Zero Day Quest hacking event with big rewards (source)