Follina, Microsoft Office vulnerability, also affects Foxit PDF Reader; no patches available

A few days ago, a security researcher reported the detection of a zero-day vulnerability in Microsoft Office that could be exploited using apparently harmless Word documents capable of executing PowerShell commands through the Microsoft Support Diagnostic Tool (MSDT).

After the flaw, dubbed as Follina, was publicly disclosed and various exploits were released, Microsoft acknowledged the bug and assigned it the CVE-2022-30190 tracking key, describing it as a remote code execution (RCE) error.

Security specialist Kevin Beaumont explained that malicious documents use Word’s remote template feature to retrieve an HTML file from a remote web server, which in turn uses the MSProtocol ms-msdt URI scheme to load code and run PowerShell. Beaumont also explains that the Follina error can also be exploited using ms-search MSProtocol.

Vulnerable PDF tools

Although this was already a considerable security risk, things did not stop there, as it was recently confirmed that the vulnerability could also be activated in Foxit PDF Reader. Through their Twitter account, user @j00sean mentioned: “While testing PDF readers, I found a way to trigger error CVE-2022-30190, also known as #Follina, in Foxit PDF Reader. This doesn’t work in Adobe because of sandbox protections.”

The user shared a video of their proof of concept (PoC), showing that the tests were performed on Foxit PDF Reader v11.2.2.53575, the latest version of the tool. At the moment, the developers of the PDF reader have not released security updates to address the bug or issued security alerts about it.

The researcher also posted the payload to trigger the bug in Foxit, adding that successful exploitation requires the target user to allow connection in the pop-up window of a security warning.

Known exploitation

Groups of allegedly Chinese threat actors have been actively exploiting this vulnerability. The reports specifically point to TA413, an advanced persistent threat (APT) group that launches ongoing hacking campaigns against the Tibetan community.

Finally, a Report by Proofpoint details how various officials in Europe and the United States have fallen victim to this campaign, receiving malicious documents through phishing emails allegedly sent by legitimate entities.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.