Windows Zero-day vulnerability discovered

Earlier this month, a zero-day vulnerability was found in one of Microsoft’s tools. The finding was made by an independent cybersecurity company called nao_sec which analyses suspicious software. The threat seemed to be hidden in one of Microsoft’s most popular tools.

Zero-day attack and software vulnerability explained

As its name suggests, software vulnerabilities are flaws or defects in a given software through which attacks can enter. Hackers thus take advantage of these ‘holes’ in the security system to insert some kind of malicious software and cause damage. This can be several things like accessing confidential data, DDOS attacks, phishing, etc.

Regularly, software developers are on the lookout for such threats and try to spot vulnerabilities in time. That is, they can prevent the attacks and fix the vulnerabilities before they actually happen, for example, by releasing a new version of a given software.

The problem is that sometimes these vulnerabilities are discovered before the tech engineers find a solution, and this is what we know as a “zero-day attack”. These strikes are very dangerous because, as soon as one zero-day vulnerability is out in the open, it can be used by thousands of hackers around the world. After all, they know there isn’t a solution yet.

Zero-day vulnerabilities can be of different kinds and are hard to spot, which is as much a good thing as it is a bad one. Hackers have a hard time finding these weak spots, but when they do, they become a real threat. We can see this by analysing some recent examples of zero-day attacks. Some types of zero-day attacks can be broken algorithms, bugs, missing authorizations, or URL redirects.

Follina: A potential threat lurks in your Word files

The vulnerability was called ‘Follina’ and uses a remote template feature in Word. With this feature, it’s able to retrieve an HTML file from a remote server. Then, this file uses a protocol from Microsoft to execute PowerShell commands and load code on the system.

Now, why is Follina so pernicious? Firstly, it attacks through one of Microsoft’s most used tools, and secondly, it doesn’t require opening the file to introduce the malicious software. In other words, even if the user doesn’t open the Word document, the payload is executed anyway. Only by displaying the document in the Preview tab, you’ll be endangering your system. Moreover, Follina affects different product versions:

• Office
• Office 2016
• Office 2021
• Office 2022

Is Follina as dangerous as Log4Shell?

Experts compare Follina with Log4Shell, a vulnerability discovered in November 2021 and patched in December of the same year. Apparently, these two have much in common.

Follina is very powerful and easy to exploit because it bypasses Windows Defender. It also has some of the worst characteristics that we can find in such threats. According to Roger Grimes, an expert in data-driven protection, the worst kind of zero-day vulnerability is the one that executes as soon as the user clicks on or downloads the file.

However, he also pointed out that Follina is not such a big threat if the appropriate patch is added. Users must enable the auto-patching function and Microsoft 365 users will have the patch added since these upgrade automatically. After all, it seems that Follina is not changing the computer world any time soon. Nonetheless, Grimes encourages users to be careful and attentive. Other experts in cybersecurity, like Dirk Schrader, compared Follina to Log4Shell. Discovered several months ago, Log4Shells continues to be a concern for several companies around the world. But what do these have in common?

Log4Shell works similarly to Follina in the sense that it uses the system’s ability to call for external resources. This means that regular restrictions and Windows Defender won’t detect the malicious activity, therefore not being able to block the attack.

Microsoft’s solution

The company recognized the flaw through CVE-2022-30190 and presented workarounds to mitigate the vulnerability. They published on an official blog that the vulnerability exists when the system’s diagnostic tool is called from Word using the URL protocol. If an attacker were to take advantage of this flaw, he or she would be able to access users’ rights. For example, they can create new accounts, change, and delete data, install programs, etc.

Microsoft thus proposed a workaround to solve this issue. They recommend going to the MSDT tool and disabling the URL protocol, which prevents trouble-shooters from being taken by links. The best part is that the trouble-shooter will keep working but it won’t allow protocol-specific links to open automatically.

All in all, this workaround won’t have such a big impact on the user’s experience as MSDT is not a general support tool. Even though it’s used to share information with technicians, this can be perfectly done in other ways. When a user disables the URL protocol, the MSDT will not be launched through a link, but technicians will be able to open it manually.

Protect yourself from zero-day attacks

This article shows us how vulnerable is our software and how exposed is our information, particularly if we don’t protect it. Companies, businesses, and users that work with confidential data must take zero-day attacks seriously. Since these are introduced through glitches in the system of which even developers are not aware, they become a major threat.

While it is true that cybersecurity experts try not to make zero-day vulnerabilities public before they find a patch, it’s better to err on the side of caution.