March 28, 2023
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
A critical vulnerability in Microsoft Office has been disclosed on May 30, 2022. This gap can be found under the synonym "Follina" and is listed under CVE-2022-30190. What is particularly critical here is that the attack complexity is classified as low. The gap can therefore also be exploited by inexperienced attackers and lead to potentially high damage on the affected system.
The vulnerability uses the Microsoft Support Diagnostic Tool (MSDT) [https://docs.microsoft.com/de-de/windows-server/administration/windows-commands/msdt], which is normally used to collect diagnostic data and send it to Microsoft. However, affected files reload malicious code or components via the Internet and execute them on the system with the existing user rights. This allows the attacker to gain full control over the system and the data available on it and manipulate it. Depending on whether other vulnerabilities are present, further attacks such as privilege escalation can occur.
The affected document contains an https URL that is downloaded. This causes Java script code to be executed, which in turn references a URL with a reference to an ms-msdt link. The tool described above is called with the passed parameters, reloads malicious code. This is then invoked and executed via Power Shell. It is particularly insidious that these are not macros, and classic macro protection offers no help against this attack!
Until a patch is available, the following workaround is recommended.
The MSDT URL protocol used in the attack should be disabled, so it is no longer possible for the links used to be called and executed automatically.
1. open the command line as administrator
reg export HKEY_CLASSES_ROOT\ms-msdt filename
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
reg import filename
So far, there are no known negative effects on productivity, but adequate testing and trials should be conducted at this point as well.
Details can be found at the link.
Furthermore, Microsoft recommends that users of "Microsoft Defender for Endpoint Security" enable the rule "BlockOfficeCreateProcessRule", this prevents the creation of subprocesses by Office applications.
In addition, Microsoft Defender from build 1.367.719.0 or newer detects such attacks via its signature files.
In addition, all employees can be informed and sensitized to be particularly vigilant when receiving office files. The sender should be verified and the content of the file expected and known. If ways of sensitizing and informing employees are already known, this information should be distributed accordingly.
As soon as further information from Microsoft is available, especially regarding patches or updates, we will inform you accordingly or post it on this website. The vulnerability has only recently become known, so that further attack scenarios may develop and further measures may become necessary. Affected parties should therefore monitor further developments. In case of changes, we will inform you on our website and continuously adapt the information on this advisory.
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
Burp Suite by Portswigger and OWASP ZAP are both programs with a proxy server that run on your local device. With
Our co-founder Immanuel was a guest at Radio Bonn/ Rhein-Sieg and told the presenter team Nico Jansen and Jasmin Lenz and