Last month, researchers publicly revealed a zero-day vulnerability, dubbed Follina, in Microsoft Office that can be exploited using malicious Word documents to enable code execution on a victim’s system.
One researcher, Kevin Beaumont, explained, “The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell. That should not be possible.”
This means that this vulnerability provides a way to execute code on a target system with one click using support tools (ms-msdt) and system administration tools (PowerShell) pre-installed on Windows.
It took nearly three weeks from the discovery date for Microsoft to quietly patch this exploit
That means that users were left for weeks without a fix for this zero-day vulnerability.
That is, unless you use the Falcon platform, from Tigunia partner CrowdStrike.
CrowdStrike’s Rapid Response team was able to enhance existing coverage immediately via proactive threat-hunting combined with malware and exploit research. As soon as critical content is available, the Falcon platform pushes updates in real time to all customers without having to upgrade or update the sensor.
The Falcon sensor has detection and prevention logic that addresses exploitation of this vulnerability. With “Suspicious Process Blocking” enabled, Falcon will block code execution attempts from msdt.exe. Even without “Suspicious Process Blocking” enabled, Falcon will generate a detection in the Falcon console.
Tigunia and its vendors are here to keep you protected, often before developers and researchers can step in with patches and fixes.
To learn more on how Tigunia can keep you and your organization safe, contact us today.
