Security News > 2022 > May > Zero-day bug exploited by attackers via macro-less Office documents (CVE-2022-30190)

A newly numbered Windows zero-day vulnerability is being exploited in the wild via specially crafted Office documents, security researchers are warning.

Boobytrapped office files delivered via email are one of the most common tactics attackers use to compromise endpoints, and they are constantly finding new ways to hide the documents' malicious nature from existing security defenses, solutions, as well as users/targets.

Attackers have been exploiting Office macros to deliver exploits and malware for ages, but since Microsoft has made it so that the default behavior of Office applications is to block macros in files from the internet, attackers are testing new approaches.

Security researcher Kevin Beaumont found by analyzing the latest malicious document leveraged by attackers that "The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell."

Attackers have only the system privileges given to the user that interacted with the malicious file, but they can use other exploits to gain higher privileges.

Customers using Microsoft Defender Antivirus "Should turn-on cloud-delivered protection and automatic sample submission" and those using Microsoft Defender for Endpoint can enable the attack surface reduction rule that blocks Office apps from creating child processes, the company added.

News URL

https://www.helpnetsecurity.com/2022/05/31/cve-2022-30190-follina/