Almost everyone has heard by now that macros are dangerous Microsoft Word. After all, the software blocks them by default and displays a warning banner. However, this is not the only way to use the software Infect a computer. On TwitterUser @nao_sec shared malicious code found In a document Word.

This code uses a flaw called Folina. It’s classified as “Zero-Day”, in other words, by pirates already exploited and not updated (Microsoft has “zero days” to release a patch). തിരnao_sec While searching for documents with another flaw, the virus accidentally noticed a suspicious code on the site. An Internet user based in Belarus submitted a suspicious document to the site that will check if it was detected by various antiviruses.

A code hidden in base 64

The code software’s remote template feature is used to load an HTML file from. The waiter. This then redirects the device Diagnosis From Microsoft Support (MSDT) for uploading a file and executing PowerShell commands. This, even if Macros Disabled. Used the same technology as the author of the code On some websites To hide problematic commands: they are converted to base 64 and decoded in runtime.

Since the second file is not available, researchers do not know the exact purpose of the author. However, from the moment it is controlled to run PowerShell commands, it has the potential to take full control of the computer and attack other machines. Local network.

Folina is particularly problematic. By default, Word .docx files are opened in protected view. The code is only executed when the user clicks on “Enable Update”. However, if it is in .rtf format, this protection is not active. Also, in this case, you just need to select the code to execute it without opening it in File Explorer.

In April, Microsoft already rejected a report

The code works on all versions Microsoft Office At least since 2013, with all updates, including Office 2021. Indications are that the problem was reported earlier Microsoft In April the Shadow Chaser Group, a group of students pursuing differences. A man named John Microsoft Security Response Center (MSRC), satisfied that it was not A Security issue, The submitted sample does not work on his computer. Microsoft seems to have changed its mind since the company registered an error on May 30 under reference CVE-2022-30190.

Currently, there is no easy way to protect yourself from this attack. While waiting for an update, the most common solution is to edit the registry to prevent the diagnostic tool from launching in Word. To do this, we need to create value Enable diagnostics Inn HKLM \ Software \ Policies \ Microsoft \ Windows \ ScriptedDiagnostics Put 0.

But beware, this solution is reserved for advanced users. An error in updating the registry will cause the system to crash and prevent the computer from starting.