Mysterious "Follina" zero-day hole in Office

Btw, Andy Ful's own testing against Follina using Simple Windows Hardening, complete with an attack chain diagram and explanation:

https://malwaretips.com/threads/simple-windows-hardening.102265/post-992545

 

and what about h_c? is follina blocked by its default config?

 

This should not come as a surprise.

https://twitter.com/BleepinComputer/status/1536354781379321856

And Microsoft has said in published materials that it supports the Ukrainians in this war, yet it knew about Follina since months.

 

I like to learn this as well.

 

He did a "bad one" by not quoting Cybereason as the source of his posting .

What he didn't fully explain is that PowerShell is invoked twice in this attack. This first deployment is via the parm input to msdt.exe which invokes PowerShell via COM to download the final payload as explained by Cybereason. PowerShell CL mode won't prevent this initial PowerShell activity.

I also question what is highlighted below:

Windows runs system maintenance PowerShell scripts at system startup time via CompatTelRunner.exe. I would assume that those invoke PowerShell based .dlls that would be blocked via PowerShell CL mode if what he claims is the case. Yet, those scripts run w/o issue on my Win 10 build successfully.

-EDIT- I checked out how these scripts are running and they are running as restricted mode which is more restrictive that CL mode.

However, note how the scripts run:

powershell.exe -ExecutionPolicy Restricted -Command Write-Host
​

Note that Execution Policy parm. setting will override any global PowerShell Language mode setting.

​

 

Invitation: Sophos "Follina" webinar 16 June 2022

https://nakedsecurity.sophos.com/2022/06/13/youre-invited-join-us-for-a-live-walkthrough-of-the-follina-story/

"... a free webinar in which we'll give you a live explanation and demonstration
of the "Follina" vulnerability."

 

Yes, because as someone elsewhere correctly put it: H_C > SWH

 

Thanks very much. Kindly taken note of H_C stronger than SWH.

 

You're welcome, but in no way am I diminishing the effectiveness of SWH to stop numerous common threats. It is very powerful in its own right, and there are many posts at MT that prove this.

 

ok, thanks.

 

i think it's safe to say that h_c is more for advanced / power users, no?

 

Well most likely, although I've never really thought about it that way, especially because I've never used SWH. H_C has a "Recommended Settings" button and its built-in Configure Defender component has "Default" and "High" Protection level buttons which take the guess work out of it for anyone. Of course there are many settings that the user can enable or disable manually, and that's where maybe the power user approach could come into play. As for SWH, I've never used it but I believe it's very straightforward as well, probably more so than H_C.

 

Personal curiosity.
Has any forum member listed anti-exploit sdiagnhost.exe?

 

"Microsoft patches actively exploited Follina Windows zero-day

Microsoft has released security updates with the June 2022 cumulative Windows Updates to address a critical Windows zero-day vulnerability known as Follina and actively exploited in ongoing attacks..."

https://www.bleepingcomputer.com/ne...-actively-exploited-follina-windows-zero-day/

 

I'm hoping they actually fixed it. Rolling out now.

 

Good, very hopefully this is a stopgap in the ongoing cyber-warfare in Eastern Europe. As well as in other regions and places.

 

I wonder if we need to reverse the registry keys that we either deleted or renamed?

 

From Bleeping.....

I doubt if Thomas Edison himself could've done better.

 

you don't need to. the keys will be owerwritten when you apply the patch.

 

I was hoping they wouldn't bother. They don't seem to have caused any lack of functionality that I cared about.

 

well, actually i was just making an assumption.

 

Cool so we don't actually know lol.

 

There is more from Andy Ful on his Folina test:

https://malwaretips.com/threads/simple-windows-hardening.102265/post-992985

Powershell was executed only once, and only by sdiagnhost.exe and not by msdt.exe, which only passed the code to sdiagnhost.exe.

 

No, at least not yet, but maybe it should be considered. Currently it looks like msdt.exe passes Powershell code onto sdiagnhost.exe in the Follina exploit, so preventing msdt.exe in the earlier stage should render sdiagnhost a moot point - at least in the interim. Although you bring up a good point Sampei

EDIT

A video on Andy Ful's Follina exploit test:

https://malwaretips.com/threads/simple-windows-hardening.102265/post-993043