By now, almost everyone has heard that macros can be dangerousa word. After all, the program blocks them by default and displays a warning banner. However, this is not the only way to use the program . On Twitter, user @nao_sec shared a malicious code that was discovered a word.
This code uses an error called Follina. She is classified asIn other words, it has already been exploited by hackers and without an update (Microsoft has ‘zero days’ to release a patch). nao_sec noticed the code in question by chance on the Virus Total website while searching for documents with another error. An Internet user located in Belarus could have sent the document in question to the site to check whether it was detected by various antivirus programs.
Basically hidden code 64
The code uses the program’s remote template feature to load an HTML file from a file. This then converts the tool from From Microsoft Support (MSDT) to upload a file and run PowerShell commands. And this, even if Deactivated. The author of the code used the same technique that was discovered To hide problematic commands: they are converted to base 64, and decrypted at runtime.
Researchers do not know the exact purpose of the author, because the second file is no longer available. However, from the moment it manages to execute PowerShell commands, it can take full control of the computer and attack other devices on it..
Volina is particularly problematic. By default, Word opens .docx files in Protected View. Then the code is executed only if the user clicks “enable modification”. However, if it is in .rtf format, this protection will not be activated. Moreover, in this case, it is enough to select it in the file explorer, without opening it, for the code to be executed.
Demo of how Follina is working on an updated version of Office 2021. © Didier Stevens
Report already rejected by Microsoft in April
The code works on all versionsSince at least 2013, including Office 2021, even with all updates. It turns out that the problem has already been reported In April by the Shadow Chaser Group, a team of students chase controversies. A man named John Min Microsoft Security Response Center (MSRC), then convinced by saying that it was not a file The sample provided did not work on his computer. It appears that Microsoft has changed its mind, since May 30 the company has registered the flaw under CVE-2022-30190.
Currently, there is no easy way to protect against this attack. While waiting for the update, the most common solution seems to be to edit the registry to prevent the diagnostic tool from starting from Word. To do this, we must create value Enable Diagnostics in HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics and put it in 0.
But beware, this solution is for advanced users. Any error in modifying the registry can damage the system and prevent the computer from starting.