An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch (wired.com) 38
"An actively exploited Microsoft zero-day flaw still has no patch," Wired wrote Friday (in an article they've designated as "free for a limited time only.")
Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet "The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows." Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that "a remote, unauthenticated attacker could exploit this vulnerability," known as Follina, "to take control of an affected system." But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday].
The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it," says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic....
The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.
But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.
The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!)
Friday Microsoft went into the vulnerability's official CVE report and added this update.
"Microsoft is working on a resolution and will provide an update in an upcoming release."
Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet "The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows." Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that "a remote, unauthenticated attacker could exploit this vulnerability," known as Follina, "to take control of an affected system." But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday].
The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it," says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic....
The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.
But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.
The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!)
Friday Microsoft went into the vulnerability's official CVE report and added this update.
"Microsoft is working on a resolution and will provide an update in an upcoming release."
It is Microsoft. What do you expect? (Score:1, Troll)
They have crappy engineering, crappy leadership and do not care about their customers one bit as long as the dollars keep rolling in.
Re: (Score:3, Funny)
Eh ... they care about maintaining the appearance that their shitting on home customers (treating them as beta-testers for corporate customers) is accomplishing anything useful. That's kind of like caring about some of their customers.
Re: (Score:2, Funny)
Well, yes. Caring to exploit them. I stand corrected.
Re: (Score:1)
They have crappy engineering, crappy leadership and do not care about their customers one bit as long as the dollars keep rolling in.
And yet, Microsoft is now doubling salaries and increasing stock compenstation [newsweek.com] to retain these same crappy engineers because, according to their crappy leadership:
"Time and time again, we see that our talent is in high demand because of the amazing work that you do,"
Re: (Score:2)
A scam operator needs to keep up appearances. Otherwise the house of cards collapses.
Re: (Score:2)
They started with bad design and followed with sloppy implementation and have been trying to patch the steaming pile of code ever since.
It just won't ever be fixed.
I just don't know why people keep buying it. They must be really stupid.
Re: (Score:2)
They started with bad design and followed with sloppy implementation and have been trying to patch the steaming pile of code ever since.
It just won't ever be fixed.
At the current complexity they have reached and failed to keep under control, it is probably impossible to fix it. That is not hyperbole, that is how engineering works: At some level of complexity you lose control and you cannot get it back anymore. In the early stages you can often still fix things by drastic simplification, but that that ship has sailed long ago for the products MS makes. That is also why all good engineers respect KISS above everything else. MS never has understood KISS and hence consist
Re: It is Microsoft. What do you expect? (Score:5, Informative)
Tldr, run the below workaround: /f
reg delete HKEY_CLASSES_ROOT\ms-msdt
21 replies and not a single mention of the simple way to mitigate the issue...
Note, if you disable the msdt url protocol you might have issues with Microsoft diagnostic and troubleshooting wizards, which are rarely helpful anyways.
From Microsoft:
---
Workarounds
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
Run Command Prompt as Administrator. /fâ.
To back up the registry key, execute the command âoereg export HKEY_CLASSES_ROOT\ms-msdt filenameâoe
Execute the command âoereg delete HKEY_CLASSES_ROOT\ms-msdt
How to undo the workaround
Run Command Prompt as Administrator.
To restore the registry key, execute the command âoereg import filenameâ
Re: It is Microsoft. What do you expect? (Score:2)
Has anyone ever been helped by those wizards?
To me it also seems like Microsoft is dumbing down the wrong things. The control panel was never a problem for me, but the settings panels now in later versions are just horrible. You have to scroll a lot up and down to do the things you want. The list of installed programs no longer offers version info in settings but it's there in the old control panel tool etc. So in the future it may be necessary to run command line tools to see and do anything useful as an I
Re: (Score:3)
This has been documented everywhere. Why would anybody mention it again? The point is this is a change many people will not do because they fear they might mess it up or be unable to reverse it. MS products have this way of breaking in surprising and obscure ways and the usual way to "fix" them is a re-installation. It does not get much more crappy than this regarding software maintainability. Hence people are afraid to touch anything and the only real way to fix this is an update. Which MS is dragging thei
Re: (Score:2)
Tldr, run the below workaround: reg delete HKEY_CLASSES_ROOT\ms-msdt /f
21 replies and not a single mention of the simple way to mitigate the issue...
A workaround, yes.
6 weeks after Microsoft was notified, I rather expect an official patch coming through Windows Update.
It's all been downhill... (Score:4, Funny)
...since Word 5.1 for Macintosh.
Trying to shoehorn all kinds of DTP and scripting functionality into a Word Processor hasn't gone well at all for Mickeysoft. Even they don't know how the software works any more, per their own specs.
Re: (Score:2)
Even they don't know how the software works any more, per their own specs.
Available evidence seems to strongly support that statement, yes. A sign of a product that urgently needs to be thrown away because it is broken and cannot be fixed anymore.
Re: (Score:2)
...since Word 5.1 for Macintosh.
That's where you're wrong, kiddo. Things have gone downhill since WordPerfect 5.1 for DOS. That was and still is the ultimate word processing program. The ease of use has yet to be matched.
Once Microsoft worked to kill off WordPerfect, it's been downhill since.
Re: (Score:2)
Things have gone downhill since WordPerfect 5.1 for DOS. That was and still is the ultimate word processing program. The ease of use has yet to be matched.
I prefer WYSIWYG and menus to having to know four functions for every fkey, thanks. My keyboard isn't template compatible.
Re: (Score:2)
Things have gone downhill since WordPerfect 5.1 for DOS. That was and still is the ultimate word processing program. The ease of use has yet to be matched.
I prefer WYSIWYG and menus to having to know four functions for every fkey, thanks. My keyboard isn't template compatible.
WP 5.1 was WYSIWYG. You could literally, in the truest sense of the word, see how your document would look when you printed it. In fact, one of its greatest strengths was being able to see behind the scenes at the formatting codes. Once activated, reveal codes showed you every bold, indent, tab and whatnot. If you couldn't figure out why a word or words weren't doing what you thought they should, reveal codes and edit what you needed. It was absolute granular control.
Now compare to Word where you have t
Re: (Score:2)
I use any word processor handy when I want to write a letter, and I use a DTP product for anything more complicated, either Scribus or InDesign depending on the circumstances. But I grew up with a parent who was a graphic artist, and I cut my teeth on Aldus Pagemaker on a Macintosh IIci back in the day, so it just seems natural to me that if I want layout, I should use something with layout. I might write the copy in OO.o Writer or even Word, though the latter is quite unlikely. I don't have much reason to
Re: (Score:3)
Trying to shoehorn all kinds of DTP and scripting functionality into a Word Processor hasn't gone well at all for Mickeysoft.
Hasn't it? *Checks Microsoft's market share*. No it really has gone very well for them.
Re: (Score:2)
Hasn't it? *Checks Microsoft's market share*. No it really has gone very well for them.
Word hasn't been successful because it's been the best. It's been successful because Microsoft willfully exploited an effective monopoly position [justice.gov], as determined by the USDoJ. But that was a watershed moment, where AG John Ashcroft stated that it was not in the nation's best interest to hold them accountable for their actions. In short, we are no longer enforcing antitrust law in this country, no matter how guilty the parties involved. The only thing that matters now is whether you've greased the right palms
Re: (Score:2)
Word hasn't been successful because it's been the best.
No one cares why, the question was if something has or hasn't gone well for them. $15.6bn. That's Q2 2022's revenue from just their Productivity division which is almost entirely due to Office, and it's the only point relevant to the discussion. Clearly they have not been negatively affected.
Re:NSA_KEY (Score:4, Informative)
There are a number of workarounds to combat this attack type. SANS covered this days ago: https://isc.sans.edu/forums/di... [sans.edu]
Setting policy to prevent Office apps from spawning child processes has been a recommendation for years now. Microsoft has a whole policy package you can deploy, if you so desire.
No super-duper patching needed and the info is widely available, even to trolls.
Re: (Score:2, Interesting)
But how many "legitimate" applications will this break? Apps that you want, and need that policy enabled to be able to run. Where the devs couldn't figure out any way to accomplish what you want in any other way?
And then those devs put on their black hats and sent you the bomb wrapped in an MSWord document. That's how SIM swapping works. Some poor single mom calls the phone store with a sob story about how her phone got stolen. And could you please switch the account to a new phone. With kids crying and do
Re: (Score:2)
Dave Plummer to the rescue https://youtu.be/gmP8AtmVr0o [youtu.be].
Yes, this patch is as easy as backing up and deleting a few registry keys.
Microsoft has alwyas been (Score:2)
At this point, you can't blame Microsoft (Score:2)
99.99% of the MS-Office users would not recognize a macro even if it stops on the street and slaps on their face.
We know MS has added too many features and increased vulnerability surface a lot. Prudent thing to do is to turn off all the features
Re: (Score:1)
Au crontraire. MS bears all responsibility for this mess. Unless you want to blame the clueless that made an incompetent tech company like MS into more than a historical footnote by buying its broken products?
Re: (Score:2)
I think the real problem is and always will be that a lot of business people do not know anything about technology. They think of computers and software as appliances and that's just not the case. Sure, some are done well enough that they "just work" but most software has to go beyond appliance level and that adds complexity.
People unknowingly bought into a technical solution without completely understanding the position they were putting themselves. In some cases, perhaps the pain of becoming an income str
Re: (Score:2)
Re: At this point, you can't blame Microsoft (Score:2)
This specific flaw did work even with macros disabled.
This is why (Score:2)
Re: This is why (Score:2)
You'd need to go for older Win versions to avoid this specific one.
Not zero day (Score:2)
A zero-day exploit is one that attacks a vulnerability that is not yet known by the maker of the software being exploited. This vulnerability has been known for a while now.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: Not zero day (Score:2)
It's actually supposed to be "zero days since discovery". The point being that the more days that pass, the more people who will find out about it, and thus, less valuable.
The term stems from software priacy in the BBS days of the 80's. There used to be different places to upload games based on how old they were labeled like "0 day", "1 day", "5-10 day", etc.
I never really understood the obsession so many had with 0 day warez. Like it being new made it better, and tomorrow it'd be less useful.
Re: (Score:2)
I think the implied urgency makes the term zero day "cool" somehow.
probably because (Score:2)
The mitigation is easy and effective (Score:2)