Following the exposure of the Microsoft Office vulnerability mentioned yesterday by the SANS Institute, the vulnerability has been named Follina, and Microsoft is aware of it.
Researchers at the SANS Institute have provided further advice on how to tackle the threat below.
Researchers at SANS Institute said:
How it works:
“Malicious Office documents are a popular means to introduce malware. Microsoft has restricted Office macros to make it more difficult to abuse them. However, this new vulnerability bypasses these restrictions. Malicious code is executed as the user opens the document. No warning is displayed Microsoft considers this a vulnerability in the Microsoft Support Diagnostic Tool (MSDT).”
Level of danger:
“Exploiting the vulnerability is easy, and multiple ready to go tools are available to create exploits. All currently supported versions of Windows are vulnerable.The vulnerability allows for code execution from Office documents with minimum friction/user interaction.”
Four steps to protecting against it:
- “Disable ms-msdt protocol handler in registry. Minimal disruption can be expected, and it can be rolled out centrally with GPO with little effort. If problems come up, it’s easy to undo.
- Roll out detection rules: they’re not disruptive to endpoints, though may cause some limited false positives.
- Educate your users about the threat
- Monitor the situation: check for updates to Microsoft’s bulletin.”