Anatomy of a Zero Day: How Follina Tricks Word Into Running Arbitrary Code Even with Macros Disabled and Despite Protected View

Webinar Registration

Would you allow anyone in the world to email an application to any user in your organization to be executed on their PC? Of course not.

But most of us are in fact doing that right now thousands of times a day. Every time we open an Office “document.” Let’s stop using the term document because it’s misleading. Document implies passive content. Office files are not documents – they are software. Whenever you allow a user to open a Word or Excel attachment in an email you are allowing the sender an opportunity to remotely execute arbitrary code in the context of your user.

Macros disabled? Protected view enforced? Doesn’t matter. Not when Microsoft packs the attack surface of Office with things like the MSDT URL protocol and remote templates. It’s just a recipe for zero-day exploits.

Case in point is Follina aka CVE-2022-30190. This little beauty allows you to send a Word “document” to someone that contains a reference to a remote template. Word graciously downloads that template from the staging server and then encounters a reference to the Microsoft Support Diagnostic Tool (msdt.exe) using the ms-msdt: protocol handler. Word obediently executes msdt with parameters specified in the template thus controlled by the attacker. Ultimately msdt executes whatever arbitrary commands the attacker wants through a parameter named IT_BrowseForFile.

In this webinar, I will show you how Follina works starting with an innocently looking Word “document” that has no macros. Thankfully this particular zero-day is patched.

But this is just one in countless other ways to trick Office into being the cat’s paw of attackers. And we aren’t going to stop using Office anytime soon. So we will also discuss strategic methods for dealing with the risk of Office documents and all the other highly functional content users open and process every day.

As just one example of the defense scenarios we will explore is the highly effective method of analyzing parent-child processes. But there’s plenty of other detection controls to consider. Threat researchers Brian Coulson and Dan Kaiser, from our sponsor LogRhythm, will be joining me and they will take us through the detection mitigations they have developed for Follina and we’ll discuss how to extend them to yet undiscovered attacks.

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Zip/Postal Code:  
Job Title:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Upcoming Webinars
    Additional Resources