Details: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/

Microsoft states that the exploit is "a feature, not a bug" and that "they won't be patching it any time soon", this exploit could be triggered by the Windows file explorer preview feature, even when macro's are disabled. recommended defenses include disabling msdt as well as the preview feature and not downloading any suspicious office docs.

It's related to https://github.com/chvancooten/follina.py (shared by @tty) and tested it little bit.
Couples of times it opened the calculator app, sometimes it didn't (also my antivirus found it)
but perhaps with a little magic it can be made undetectable, also depends on the word version etc.

> Can't be bothered to fix a bug
"Tell em 0-click RCE is a feature, not a bug"

Defender updates are already out that trigger on this and a/v also has signatures catching it on the edges (ie: mail filters). They trigger on the underlying issues and not just current exploit. Although there's work happening on getting around this.

Personally, taking a look at the other troubleshooting packs available (rather than just PCWDiagnostic) offers some different avenues waiting to be discovered.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee424379(v=ws.11)#available-troubleshooting-packs

@SpotnikSignal

---

It's related to https://github.com/chvancooten/follina.py (shared by @tty) and tested it little bit.
Couples of times it opened the calculator app, sometimes it didn't (also my antivirus found it)
but perhaps with a little magic it can be made undetectable, also depends on the word version etc.

Pretty much the same, except the bug has been around since the 21st of may, it only recently went mainstream (TV..etc). Posted it here for awareness 

@tty

---

> Can't be bothered to fix a bug

"Tell em 0-click RCE is a feature, not a bug"

Very sad how people are ignorant for their own good, such statements should be met with no less than public protests/boycotts

>Have to meet the backdoor quota.
>Tell them windows defender will most likely detect it, if we want it to.

@gentle

---

Defender updates are already out that trigger on this and a/v also has signatures catching it on the edges (ie: mail filters). They trigger on the underlying issues and not just current exploit. Although there's work happening on getting around this.

Personally, taking a look at the other troubleshooting packs available (rather than just PCWDiagnostic) offers some different avenues waiting to be discovered.
https://docs.microsoft.com/en-us/previou...ting-packs

Problem with that, assuming all the a/v's are able to detect it, is the amount of non-patched systems of gov, edu, mil, and even regular pirated versions of MSOffice are all being susceptible for devastating cyber attacks, nothing will change that until the release of full version update to control/limit MSDT access.

It's crazy what it can do....but the only thing is that you have to phish people.....like there is a human involvement..

thank you man

(June 3, 2022, 04:59 AM)karimadeyemi Wrote: It's crazy what it can do....but the only thing is that you have to phish people.....like there is a human involvement..

Most people are retarded and easy to phish, including people working in an SOC. Even highly motivated nerd weirdos who actually care for some reason about the company work for, can be victimized easily.
The only annoying part is the consumption of time, best to farm out to some paki slaves.

Implement protocol "It's not a bug, it's a feature".

that yes, is a delicious event ashuashuashau