Hackers can take control by simply opening a Word file

You will also be interested


[EN VIDÉO] How to add checkboxes in Word?
With this new tech tutorial from Futura, discover how to create checkboxes in Word. © Futura

By now, almost everyone has heard that macros can be dangerous Microsoft a word. After all, the program blocks them by default and displays a warning banner. However, this is not the only way to use the program infect the computer. On Twitter, user @nao_sec shared a malicious code that was discovered in a document a word.

This code uses an error called Follina. She is classified as zero day In other words, it has already been exploited by hackers and without an update (Microsoft has ‘zero days’ to release a patch). nao_sec noticed the code in question by chance on the Virus Total website while searching for documents with another error. An Internet user located in Belarus could have sent the document in question to the site to check whether it was detected by various antivirus programs.

Basically hidden code 64

The code uses the program’s remote template feature to load an HTML file from a file waiter. This then converts the tool from Diagnosis From Microsoft Support (MSDT) to upload a file and run PowerShell commands. And this, even if Macros Deactivated. The author of the code used the same technique that was discovered on some sites To hide problematic commands: they are converted to base 64, and decrypted at runtime.

Researchers do not know the exact purpose of the author, because the second file is no longer available. However, from the moment it manages to execute PowerShell commands, it can take full control of the computer and attack other devices on it. local network.

See also  HP Pavilion 15-eh1004nf, Fast, Thin and Lightweight 15-inch Multi-tiered Laptop with AMD Octo Core Ryzen and 16GB RAM

Volina is particularly problematic. By default, Word opens .docx files in Protected View. Then the code is executed only if the user clicks “enable modification”. However, if it is in .rtf format, this protection will not be activated. Moreover, in this case, it is enough to select it in the file explorer, without opening it, for the code to be executed.

Demo of how Follina is working on an updated version of Office 2021. © Didier Stevens

Report already rejected by Microsoft in April

The code works on all versions Microsoft Office Since at least 2013, including Office 2021, even with all updates. It turns out that the problem has already been reported Microsoft In April by the Shadow Chaser Group, a team of students chase controversies. A man named John Min Microsoft Security Response Center (MSRC), then convinced by saying that it was not a file security issueThe sample provided did not work on his computer. It appears that Microsoft has changed its mind, since May 30 the company has registered the flaw under CVE-2022-30190.

Currently, there is no easy way to protect against this attack. While waiting for the update, the most common solution seems to be to edit the registry to prevent the diagnostic tool from starting from Word. To do this, we must create value Enable Diagnostics in HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics and put it in 0.

But beware, this solution is for advanced users. Any error in modifying the registry can damage the system and prevent the computer from starting.

Discover Online Subscriptions Browse without ads! At this moment, the Mag Futura is served In return for a 3-month subscription to the “I Participate in the Life of Futura” subscription!

What is Mag Futura?

  • Our first paper magazine with over 200 pages to make science accessible to as many people as possible
  • Dive into the heart of 4 scientific topics on the occasion of 2022, from the Earth to the Moon

*Mag Futura is sent after the third month of registration.

Interested in what you just read?

Frank Mccarthy

<p class="sign">"Certified gamer. Problem solver. Internet enthusiast. Twitter scholar. Infuriatingly humble alcohol geek. Tv guru."</p>

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top