Cybersecurity researcher Nao_sec discovered a malicious Word document 05-2022-0438.doc , which was uploaded to VirusTotal by a user from Belarus. The document uses the remote template function to extract HTML, and then uses the “ms-msdt” schema to execute PowerShell code. The issue affects Microsoft Office, Office 2016 and Office 2021. Cybersecurity expert Kevin Beaumont has published a vulnerability analysis .
“The document uses the remote Word template function to extract an HTML file from a remote server that uses the ms-msdt MSProtocol URI scheme to load code and execute PowerShell scripts”Beaumont wrote in the report.
“The first problem is that Microsoft Word executes code through the ms-msdt support tool even with macros disabled. Protected viewing starts, but if you change the document to RTF format, protected viewing is enabled even without opening the document (via the preview tab in Explorer)”,” the researcher added.
Recall that Microsoft began to block the execution of VBA macro scripts in five Microsoft Office applications. Since the beginning of April 2022, it is impossible to include macro scripts in unreliable documents downloaded from the Internet in Microsoft Access, Excel, PowerPoint, Visio and Word.
Microsoft has also increased the amount of payments for
detecting “significant” vulnerabilities in Office 365 as part of the program
rewards for vulnerability detection.