A nasty zero-click, zero-day RCE bug remains unfixed. All supported versions of Windows, as well as Windows 7, are affected.
Vulnerability, dubbed Follina after a string in the exploit that looks like an Italian area code was assigned CVE-2022-30190. It has been under active exploitation for at least 25 days, but was first discovered in August 2020. Microsoft has made efforts on this.
It’s just the last FAIL of Redmond. In today’s SB Blogwatch, we disconnect the internet.
Your humble blogwatcher has curated these blog bits for your entertainment. Not to mention: How to fix it with regedit.
The final straw for Windows users?
What’s the latest? Lily Hay Newman reports—”Actively exploited Microsoft Zero-Day flaw still has no patch”:
“Real world operation”
The company continues to downplay the severity of the Follina… vulnerability in all supported versions of Windows. [It] can be easily operated by a specially designed Word document.
Although attackers have mainly been seen exploiting the flaw via malicious documents so far, [there are] Other methods. … Incident responders say more action is needed, given how easily the vulnerability can be exploited.
Researchers have…seen malicious documents exploiting Follina with targets in Russia, India, Philippines, Belarus…Nepal [and] Tibet. … With all of this real-world exploitation, the question is whether the guidance Microsoft has released so far is adequate.
Not so fast: American and European government sites are also attacked. So said point of proof:
“By a state-aligned actor”
Phishing campaign targeting… European government and local US government.
This campaign disguised itself as a pay rise and used an RTF… with the exploit payload downloaded from 126.96.36.199. … The downloaded Powershell script was base64 encoded and used Invoke-Expression to download an additional PS script … from seller-notification.live.
[We] suspects that this campaign is being led by a state-aligned actor, based on both the Powershell’s broad recognition and narrow targeting focus. We do not currently attribute it to a [threat actor].
So it’s an Office bug? No, it’s a Windows bug. And the one who is known since 22 monthsas Steve Gibson explains:
“Microsoft's MSRC ruined everything”
A license thesis written by… Benjamin Altpeter on August 1, 2020 [says] “Windows includes the ms-msdt:// [URL] protocol that opens the Microsoft Support Diagnostic Tool that provides the troubleshooting assistant. … This protocol passes the string given to it directly to the msdt.exe program. The attacker must now find an included wizard that allows the execution of arbitrary programs. … The Program Compatibility Wizard fits this description: … All user input can also be prefilled from the command line.
Benjamin’s bachelor’s thesis dates back almost two years. The reference was obscure, it was on page 29, and we’ll never know if anyone saw it and recognized its significance, as it did, or perhaps independently invented an attack. …Anyway, last month April 12th… Shadowchasing1, a [APT] hunting group, has reported active exploitation of this vulnerability in the wild to Microsoft.
Nine days pass. On April 21, Microsoft’s MSRC canceled and closed the ticket, saying it was not a security issue. … This could represent another example of the pattern that seems to be emerging, where Microsoft increasingly seems to need the external security research community to solve all of its problems for it.
Apparently saying, “Hey, [you’re] allowing Word’s remote template feature to retrieve an HTML file from a remote server, which [can] run PowerShell”, … is no longer enough to get Microsoft’s attention. …So all we can do is hope for the best [and] do a:
“reg remove HKEY_CLASSES_ROOTms-msdt /f”
And there is still no patch? Not officially. But Mitja Kolsek is here for you — “Free Micropatches”:
Where possible, we want to minimize our impact outside of removing the vulnerability, so we decided to put our fix in sdiagnhost.exe before the RunScript call and check if the path provided by the user contains a sequence “$(” – which is needed by injecting a PowerShell subexpression. If one is detected, we ensure that the RunScript call is bypassed while the diagnostic tool continues to run. [The] original code [is] moved to a trampoline.
We also fixed Windows 7, where the ms-msdt: URL handler is not registered at all. … Since this is a “0day” vulnerability with no official vendor patch available, we are providing our micropatches for free until this patch is available.
How does Microsoft become so incompetent to ignore the issue for 22 months and then close the ticket when the inevitable exploits occur? gweihir tries not to be hyperbolic:
At the current complexity they’ve reached and failed to master, it’s probably impossible to fix it. That’s not hyperbole, that’s how engineering works: at a certain level of complexity, you lose control and you can’t get it back. …that this ship sailed a long time ago for products made by MS.
Hence the current mess, which goes not leave. And there are other reasons, none of which speak highly of the people who have made and maintained the size and success of MS.
But Microsoft closed ticket! MSRC has a form, says jeff_w87:
MS says that’s not a problem, but it obviously is. Same for the very old version of log4j that comes with SQL Server: MS says it’s not a problem, but it is.
I wish I could… dump all “unsafe by default” MS operating systems and applications. Any government… on this planet should ban MS software from running on their networks, especially if it is a connected system.
It’s been going on for decades says cbf:
Far too many things in the Microsoft world are “active” – that is, willing to open links, integrations, etc., on your behalf – in so many places and in so many ways. … The intersection of this philosophy and the Internet has been an ongoing 25-year security disaster with no end in sight.
What can be done? 140Mandak262Jamuna just shrugs his shoulders:
Sensible people don’t have the power to force MS to do the right thing. … Try to make the best of the situation.
It sucks. … But MS doesn’t care. Its user base doesn’t care. So we have to do what it takes to protect ourselves.
Meanwhile, Nowicki sums up the problem perfectly:
0 clicks, 0 days in a core Windows application. Pleasant.
Dave skillfully demonstrates registry revocation
Previously in And finally
Have you read SB Blogwatch by Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites…so you don’t have to. Hate messages may be directed to @RiCHi Where [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Andreea Popa (via Unsplash; leveled and cropped)