Wallet Guard Profile picture
Jun 1 19 tweets 5 min read
🚨 CRITICAL ALERT

A severe 0-day vulnerability called #Follina has been exposed (since May 27th) in MS Word Documents.

It could allow hackers to take full control of your computer, in some cases WITHOUT even opening the file. 🧵
1/ This exploit is a mountain of exploits stacked on top of eachother. However, it is unfortunately easy to re-create and cannot be detected by anti-virus. Strap in as we try to explain.
2/ The 0-day starts with a feature in MS Word called Templates.

This feature allows Word to load and execute HTML and JS from external sources.

Sound concerning? Don’t worry it gets way worse.
3/ Using the Template’s HTML and Javascript the payload then runs the following Powershell command to run a service called Microsoft Support Diagnostic Tool, or MSDT.
4/ MSDT is used by Microsoft Support to help debug issues with your operating system. MSDT also conveniently allows for remote access to your computer. (similar to TeamViewer)
5/ There’s just one problem. MSDT normally requires the user to input their password to run it. But MSDT has a buffer overflow vulnerability. So the hacker can bypass password protection entirely.
6/ (If this exploit happens to you and you ran Word as Administrator, wipe that machine. It's beyond saving)
7/ Wanna know how it becomes a “0-click” exploit? .rtf file previews execute the malicious code just by downloading the file and simply VIEWING it in the file explorer.
8/ Previously, the advice for malicious Word docs was to never click Enable Content.

With this Templates exploit, ANY Word Doc can be INSTANTLY malicious from the second you open it.
9/ Why should web3 care?

Exploits like these are why it is CRITICALLY important not to store private keys in plain text on your file system.

Second, we’ve seen similar attacks work in the past, and this exploit is even more serious as a "0-click" exploit.
10/ The @arthur_0x attack displayed many similarities to this attack, detailed in our thread below.
11/ The real world threat of this attack is that all .doc, .docx, and .rtf files need to be considered VULNERABLE at this point in time. This especially applies to VCs for example.

Again, this exploit allows for remote code execution so it is very serious.
12/ Our recommendations:
- Discontinue use of Word for the time being
- Utilize Google Docs
- Disable MSDT (see next tweets)
- Utilize PDF instead of vulnerable extension types
13/ Microsoft’s “Workarounds”: Microsoft is currently REFUSING to fix this 0-day and seem reluctant to even call it that. (even though it absolutely is).
14/ Here are your solutions:

1. If you use Microsoft Cloud Delivered Protection Service, you may be protected. However we still HIGHLY recommend solution 2
2. Disabling the MSDT URL Protocol
15/ Here's our sources for anyone who wants to review

msrc-blog.microsoft.com/2022/05/30/gui…

bleepingcomputer.com/news/microsoft…
16/ TL;DR:

DO NOT download .doc, .docx, and especially .rtf files if you are on Windows. Assume they are vulnerable for the time being. Use the above solutions to prevent yourself from becoming a victim. We unfortunately believe this threat could compromise many people.
17/ Please share this with co-workers or anyone who could be a high profile target. You very well may prevent someone from getting hacked. This vulnerability is considered by many security researchers to be one of the worst Word exploits we’ve ever seen.
We’ll be covering this hack in more detail in our weekly security space twitter.com/i/spaces/1vAxR…

If you’re interested in what we do: walletguard.app

Stay safe out there!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wallet Guard

Wallet Guard Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @wallet_guard

Mar 25
A brief intro to wallet security (from beginner to advanced)

(1/19) 🧵
2) Let’s start with the basics. Your private key is for you and you only.

Many scammers will host fake giveaways, phishing sites, malicious code and more to try and steal this from you.

(2/19)
Practicing perfect security practices all the time is difficult. Even just doing half of these habits consistently will improve your wallet security 10x. 👇

(3/19)
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(