Follina: Microsoft Office Zero Day Vulnerability
by Vertek Labs
Vertek’s Response & Mitigation:
There is currently no patch available for this vulnerability. However, several workarounds have been published by CISA and Microsoft while we wait for a patch to be released. Given the severity of this vulnerability if exploited, Vertek would recommend evaluating the following mitigations to see if they can be applied in your environment.
Mitigation via MS Defender’s Attack Surface Reduction (ASR) rules: MS Defender has created a rule named “Office app launching child processes”. Enabling this will stop Office apps from creating child processes which will mitigate a malicious document from being able to run arbitrary commands using MS-MSDT. More information regarding this rule can be found here.
Vertek’s Threat Intelligence team has created custom USM Anywhere alarm rules to alert on process creations made by the Microsoft Support Diagnostic Tool.
The following rules look for process creations in Microsoft ATP and AlienVault Agent event logs using the source process msdt.exe.
The following rules looks for process creations in Microsoft ATP events made by the parent process sdiagnhost.exe and the child processes, conhost.exe, cmd.exe, or PowerShell
In addition to the alarm rules, AT&T Cyber Security has published an OTX pulse containing a list of IOCs identified after successful exploitation of this vulnerability. The full list of IOCs can be found here.
All supported Office applications.
November 14, 2022