A fascinating Word document was uploaded to a file scanning service. Researchers found it over the Memorial Day weekend, and it's clear there's a zero-day vulnerabilty allowing code execution in malicious Office documents.
Upon identification, the SANS team went to work investigating the vulnerability and potential remediation. On Tuesday, May 31, SANS and Senior Instructor Jake Williams held a webcast to share what we uncovered on how the vulnerability works, how to detect exploitation, and how to remediate. You can watch the full webcast on demand here.
After the webcast concluded, Jake compiled answers to the questions he received from attendees about the vulnerability being called "Follina," and we're sharing those with you now to help the cyber industry get a better handle on this new exploit.
You Asked, Jake Answered
1.What versions of Microsoft Office are vulnerable?
Answer: It doesn't seem to impact all versions of Office. If you're on the Microsoft 365 current or insider channel, it was patched before this weekend. If you're on the semi-annual channel, it was definitely vulnerable this weekend. Same with Office 2019 (and I think 2016).
2. Does this impact Apple Macs?
Answer: I don't believe it impacts Mac because there's no protocol handler for MSDT (a Windows diagnostic tool) on Mac.
3. Hindsight being 20/20, what detections could have been in place to detect?
Answer: Know your environment and investigate odd parent/child process relationships.
4. Does the mitigation with the registry keys break Macros?
Answer: No, it's completely unrelated. The registry key mitigation changes and modifies a registry key that will disable the vulnerability from working.
5. Does Cortex XDR block this exploit?
Answer: Unknown. I don't have Cortex XDR, but you can definitely detect exploitation or block based on preventing msdt.exe from executing as a child process of winword.exe.
6. Can we block outbound connections from msdt.exe to the internet? Would that stop the exploit?
Answer: No.
7. Will the exploit still work if the document is downloaded from the internet with the mark of web (MOW) and opened in protected mode?
Answer: No, but in Explorer preview mode, MOW doesn't seem to be evaluated.
8. What's the usual/expected/legitimate use of sdiagnhost.exe?
Answer: It is a legitimate part of Windows that supports the collection of diagnostic and troubleshooting data/telemetry, usually for Microsoft.
9. Can this be exploited from opening an email message? (And not opening attachments)?
Answer: Possibly, depending on the email client.
10. Why is CVSS score only 7.8/7.3 - shouldn't it be higher?
Answer: Yes, it should be. The CVSS score is irrelevant. This vulnerability has been repeatedly mischaracterized by Microsoft, so the CVSS score will be, too.
11. Are there any known negative impacts of the Microsoft registry key mitigation (so far)?
Answer: None.
12. What is the comprehensive list of IOCs?
Answer: There is no comprehensive lists of IOCs. You should rely on detection engineering, not IOCs in any case.
13. Is Office365 affected by this vulnerability?
Answer: Semi-annual channel definitely is/was.
14. Is it beneficial to both remove the protocol handler key from the registry and disable the troubleshooting wizards as suggested by Benjamin Delphy?
Answer: Yes. We address this question in more detail in the webcast.
15. Once the GPO has been pushed, how do you go about validating MSDT is effectively disabled?
Answer: You should test.
16: How significant is it that Follina can reportedly only execute arbitrary code under the end user's authoriy level? For instance, we have an enforced policy where no one byt IT has admin rights.
Answer: As significant as any malware running in a non-administrative context.
17. Are there other URI/protocol handlers that can be removed?
Answer: All of them could be, but you need to test.
18. How can mitigation be validated?
Answer: You should test using sample documents, as we discussed in more detail during the webcast.
19. Would the Defender Attack Surface Reduction policy on blocking Office applications from spawning child processes be more helpful or harmful?
Answer: The best answer I can give is that it depends on your environment.
Resources
You can watch the full emergency webcast on Follina on demand here. See also, resources provided by the SANS Internet Storm Center:
