1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Watch out for this dangerous new Microsoft Word scam, Office user

    From TechnologyDaily@1337:1/100 to All on Tue May 31 14:15:04 2022
    Watch out for this dangerous new Microsoft Word scam, Office users warned

    Date:
    Tue, 31 May 2022 12:58:06 +0000

    Description:
    There's a way for Word files to trigger remote code execution even if files are only previewed, experts warn.

    FULL STORY ======================================================================

    Cybercriminals have found a new hole in Microsoft Word documents that allow them to distribute malware , researchers are saying.

    Discovered by cybersecurity expert Kevin Beaumont, and dubbed Follina, the hole leverages a Windows utility called msdt.exe, designed to run different troubleshooter packs on Windows.

    According to the report, when the victim downloads the weaponized Word file, they dont even need to run it, previewing it in Windows Explorer is enough
    for the tool to be abused (it has to be an RTF file, though).

    Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 . Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/10.99.

    By abusing this utility, the attackers are able to tell the target endpoint
    to call an HTML file, from a remote URL. The attackers have chosen the xmlformats[.]com domain, probably trying to hide behind the similar-looking, albeit legitimate, openxmlformats.org domain used in most Word documents, the researchers are suggesting. Acknowledging the threat

    The HTML file holds plenty of junk, which obfuscates its true purpose - a script that downloads and executes a payload.

    The report says almost nothing about the actual payload, so its hard to determine the threat actors endgame. It does say that the complete chain of events related to the publicized samples is not yet known.

    Following the publication of the findings, Microsoft has acknowledged the threat, saying a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.

    An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the users rights. Read more

    Attackers have found a way to bypass a crucial Microsoft Office patch


    Beware - that Windows 11 document is probably a scam


    What is a zero-click attack, and what can you do about them?

    While some antivirus software, such as Sophos, are already capable of
    spotting this attack, Micorosft has also released a mitigation method, which includes disabling the MSDT URL protocol.

    While this will prevent troubleshooters from being launched as links, they
    can still be accessed using the Get Help application, and in system settings. To activate this workaround, admins need to do the following:

    Run Command Prompt as Administrator.

    To back up the registry key, execute the command reg export HKEY_CLASSES_ROOT\ms-msdt filename

    Execute the command reg delete HKEY_CLASSES_ROOT\ms-msdt /f. Protect your premises from ransomware with the best protection services right now



    ======================================================================
    Link to news story: https://www.techradar.com/news/watch-out-for-this-dangerous-new-microsoft-word -scam-office-users-warned/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)