🚨 CRITICAL ALERT
A severe 0-day vulnerability called #Follina has been exposed (since May 27th) in MS Word Documents.
It could allow hackers to take full control of your computer, in some cases WITHOUT even opening the file. 🧵
A severe 0-day vulnerability called #Follina has been exposed (since May 27th) in MS Word Documents.
It could allow hackers to take full control of your computer, in some cases WITHOUT even opening the file. 🧵
1/ This exploit is a mountain of exploits stacked on top of eachother. However, it is unfortunately easy to re-create and cannot be detected by anti-virus. Strap in as we try to explain.
2/ The 0-day starts with a feature in MS Word called Templates.
This feature allows Word to load and execute HTML and JS from external sources.
Sound concerning? Don’t worry it gets way worse.
This feature allows Word to load and execute HTML and JS from external sources.
Sound concerning? Don’t worry it gets way worse.
3/ Using the Template’s HTML and Javascript the payload then runs the following Powershell command to run a service called Microsoft Support Diagnostic Tool, or MSDT. 
4/ MSDT is used by Microsoft Support to help debug issues with your operating system. MSDT also conveniently allows for remote access to your computer. (similar to TeamViewer)
5/ There’s just one problem. MSDT normally requires the user to input their password to run it. But MSDT has a buffer overflow vulnerability. So the hacker can bypass password protection entirely.
6/ (If this exploit happens to you and you ran Word as Administrator, wipe that machine. It's beyond saving)
7/ Wanna know how it becomes a “0-click” exploit? .rtf file previews execute the malicious code just by downloading the file and simply VIEWING it in the file explorer.
8/ Previously, the advice for malicious Word docs was to never click Enable Content.
With this Templates exploit, ANY Word Doc can be INSTANTLY malicious from the second you open it.
With this Templates exploit, ANY Word Doc can be INSTANTLY malicious from the second you open it.
9/ Why should web3 care?
Exploits like these are why it is CRITICALLY important not to store private keys in plain text on your file system.
Second, we’ve seen similar attacks work in the past, and this exploit is even more serious as a "0-click" exploit.
Exploits like these are why it is CRITICALLY important not to store private keys in plain text on your file system.
Second, we’ve seen similar attacks work in the past, and this exploit is even more serious as a "0-click" exploit.
10/ The @arthur_0x attack displayed many similarities to this attack, detailed in our thread below.
https://twitter.com/wallet_guard/status/1509196531202932736
11/ The real world threat of this attack is that all .doc, .docx, and .rtf files need to be considered VULNERABLE at this point in time. This especially applies to VCs for example.
Again, this exploit allows for remote code execution so it is very serious.
Again, this exploit allows for remote code execution so it is very serious.
12/ Our recommendations:
- Discontinue use of Word for the time being
- Utilize Google Docs
- Disable MSDT (see next tweets)
- Utilize PDF instead of vulnerable extension types
- Discontinue use of Word for the time being
- Utilize Google Docs
- Disable MSDT (see next tweets)
- Utilize PDF instead of vulnerable extension types
13/ Microsoft’s “Workarounds”: Microsoft is currently REFUSING to fix this 0-day and seem reluctant to even call it that. (even though it absolutely is).
14/ Here are your solutions:
1. If you use Microsoft Cloud Delivered Protection Service, you may be protected. However we still HIGHLY recommend solution 2
2. Disabling the MSDT URL Protocol
1. If you use Microsoft Cloud Delivered Protection Service, you may be protected. However we still HIGHLY recommend solution 2
2. Disabling the MSDT URL Protocol
15/ Here's our sources for anyone who wants to review
msrc-blog.microsoft.com/2022/05/30/gui…
bleepingcomputer.com/news/microsoft…
msrc-blog.microsoft.com/2022/05/30/gui…
bleepingcomputer.com/news/microsoft…
16/ TL;DR:
DO NOT download .doc, .docx, and especially .rtf files if you are on Windows. Assume they are vulnerable for the time being. Use the above solutions to prevent yourself from becoming a victim. We unfortunately believe this threat could compromise many people.
DO NOT download .doc, .docx, and especially .rtf files if you are on Windows. Assume they are vulnerable for the time being. Use the above solutions to prevent yourself from becoming a victim. We unfortunately believe this threat could compromise many people.
17/ Please share this with co-workers or anyone who could be a high profile target. You very well may prevent someone from getting hacked. This vulnerability is considered by many security researchers to be one of the worst Word exploits we’ve ever seen.
We’ll be covering this hack in more detail in our weekly security space twitter.com/i/spaces/1vAxR…
If you’re interested in what we do: walletguard.app
Stay safe out there!
If you’re interested in what we do: walletguard.app
Stay safe out there!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
