Microsoft ‘Follina’ Office Vulnerability: How To Prevent It
Steven Burke, Jay Fitzgerald
Here are the steps Microsoft and MSP security stalwarts Huntress, ThreatLocker, Sophos and Blackpoint Cyber are recommending to MSPs to prevent the Follina zero-day vulnerability from wreaking havoc.
Huntress: Pursue Mitigation Efforts To ‘Limit Your Attack Surface’
MSP threat researcher Huntress- which issued a “rapid response” post for MSPs on the attack- recommended that MSPs using Microsoft Defender’s Attack Surface Reduction activate the rule “Block all Office applications from creating child processes” in Block mode. That step prevents the exploit, said Huntress.
That said, Huntress pointed out that if MSPs are not using ASR they may wish to run the “rule in Audit mode first and monitor the outcome to ensure there’s no adverse impact on end users.”
Another option, said Huntress, is to remove the file type association for MS-MSDT which can be done in the Windows registry HKCR:\ms-msdt or with Kelvin Tegelaar’s PowerShell Snippet.
Taking that step, Huntress said, will effectively prevent the malware from running when a “malicious” Office document is opened. Huntress cautioned that MSPs should make a backup of the registry setting before taking advantage of that mitigation.
With no patch currently available, Huntress recommended cautioning end users” to be extra vigilant when opening up any attachments, particularly Word documents.”
Huntress said the Office vulnerability is “pretty trivial” to reproduce and that it expects “cybercriminals to begin weaponizing” it for initial access immediately by sending emails with the malicious code.
“Huntress is keeping a close eye on the developing threat of a zero-click remote code execution technique used through MSDT (Microsoft Diagnostics Tool) and Microsoft Office utilities, namely Microsoft Word,” wrote Microsoft Threat Researcher John Hammond in a post.”Throughout the next coming days, we expect exploitation attempts in the wild through email-based delivery,”
The zero-day attack “sprung up out of nowhere and there’s currently no patch available,” wrote Hammond.He said the zero-day vulnerability features remote code execution, “which means that once this code is detonated, threat actors can elevate their own privileges and potentially gain “God Mode” access to the affected environment.”