Zero Days - Follina

I recently learned of actively exploited zero-days that seem high risk.

The zero-days bypass AntiVirus (AV) and User Access Control (UAC) protections by exploiting Windows built-in MSProtocol URI scheme.

Microsoft has yet to release patches, and the ease with which these exploits bypass known protections is alarming.

The scope of the attack surface is still being discovered as cybersecurity researchers attempt to test various schemas within the MSProtocol URI.

Users will have to manually modify the registry, backup, and delete entries to mitigate risks.

The following links highlight the issues more in-depth:

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022

https://medium.com/doublepulsar/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

microsoft-edge + ms-search + MSDT path traversal 0day = fun of 2-clicks (one click additional due to Protected View if docx is coming from remote btw). pic.twitter.com/W4PwvqFhQu
— j00sean (@j00sean) June 6, 2022

Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack

A new attack vector enables hackers to more easily compromise users with malicious Microsoft Office documents.

Huntress-1John Hammond