MS Word vulnerability could lead to stealing your bitcoins

[DdmrDdmr]

Is it a real risk, or an exaggeration?

It seems to me like a bit of both … The company Wallet Guard has issued a warning on a vulnerability they’ve detected in MS Word named "follina". Wallet Guard has classified the vulnerability as critical (0-day vulnerability), although Microsoft seems to downplay the scale, and does not award it the same classification by their standards.

The exploit seems to allow a hacker to take full control of your windows environment, simply by downloading a malicious .doc, .docx or .rtf file onto your environment. You don’t even need to open the document itself for the exploit to be set in motion. Apparently, a said malicious document can exploit MS Word template features, and execute external html or java code.

But the added danger seems to reside in yet another vulnerability tied to MSDT (Microsoft Support Diagnostic Tool), which theoretically allows MS to gain remote control of your environment to perform support (something we shouldn’t even want in our system per se).
MSDT requires that you enter a password to grant remote access, but apparently, a vulnerability can be exploited to bypass the password requirement, thus allowing a hacker to access your system.

This is, according to Microsoft, the way you can disable MSDT URL protocol:

1.   Run Command Prompt as Administrator.
2.   To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3.   Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

The above caught my attention whilst reading an article on the Spanish Media, that literally stated that a Microsoft vulnerability could allow your bitcoins to be stolen. The possibility of course stands, if someone gains remote control to your environment, and you’ve got critical information lying around in files (i.e. seeds), although this is not something that specifically targets crypto, but that opens a potential door to multiple forms of wrongdoing.

On the other hand, there don’t seem to be any reports of this exploit been used by hackers to date, either because the case is too fresh, or not that easy to become acquainted with and exploit.

All in all, just in case, I’ve disabled the MSDT URL protocol…

See:
https://twitter.com/wallet_guard/status/1531848479911432192
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

[1714281871]

1714281871

[NeuroticFish]

I don't know if only LibreOffice does this or Word too, but I've seen somewhere macros being blocked because the file came from the internet.
If Word does that nowadays, then the risk is not so big.
I don't know whether Windows Defender also "takes a look" there.

So unless the user disables the security nets, there's a chance he may be safe. But somebody using Office more than I do should confirm whether it's the case.


However, disabling that backdoor is a very good catch, no matter whether the MS Office vulnerability is big or small.

[Maus0728]

Question!

Should I disable it even though I do not have any Microsoft office/products installed? Also, on my desktop which was primarily used for academic purposes, I have tons of word documents created in MS word, am I already compromised?

Thanks for sharing by the way!

[Rizzrack]

I don't know if only LibreOffice does this or Word too, but I've seen somewhere macros being blocked because the file came from the internet.
If Word does that nowadays, then the risk is not so big.

It has nothing to do with macros unfortunately. They run commands using an instance of MSDT and instead of Troubleshooting they are Troublecreating...
Network Chuck explained some things about this vulnerability if you wanna check it out: https://www.youtube.com/watch?v=3ytqP1QvhUc&t=116s

This is, according to Microsoft, the way you can disable MSDT URL protocol:

1.   Run Command Prompt as Administrator.
2.   To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3.   Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Thanks for the info !

Question!

Should I disable it even though I do not have any Microsoft office/products installed? Also, on my desktop which was primarily used for academic purposes, I have tons of word documents created in MS word, am I already compromised?

Thanks for sharing by the way!

This does not mean everyone who has office installed can be hacked in 2 seconds, luckily. You would need to download an infected .doc file and open it. Then you're screwed !
Try the registry fix mentioned by Ddmr² and as always... don't download random stuff from random sites or unknown emails !

[DdmrDdmr]

<…>

Even if you don’t currently use MS Office products, I’d disable the MSDT URL protocol to disable that vulnerable backdoor on your system, as mentioned by others. The MS article in the OP indicates how to re-enable it if necessary for whatever reason.
I expect the MS blog entry to be updated on behalf on Microsoft with any novelties related to this exploit, so it may be worth checking it every now and then.

There’s an example video here of the first part of the combined set of vulnerabilities, showing how downloading a word file can lead to the file launching "whatever" without even opening the file. The trick though may be that it requires the file to be at least previewed to some degree on the file explorer, but simply browsing a directory with preview set can lead to that.

See:
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/
https://twitter.com/wdormann/status/1531259406624620544 (quite a bit of additional info on this Twitter thread).


Note: This twitter thread is also interesting to read through, as a complementary read to create awareness. It’s a couple of months old, and bears a different set of attack vectors, but also pivots around exploiting Word (albeit in a different way):
https://twitter.com/wallet_guard/status/1509196531202932736

[hugeblack]

The exploit seems to allow a hacker to take full control of your windows environment, simply by downloading a malicious .doc, .docx or .rtf file onto your environment. You don’t even need to open the document itself for the exploit to be set in motion.

Does this include all file extensions that are opened by Microsoft Office applications or just the extensions above?
Many people think that if the malicious program does not reach the permissions of the core (you install the program), the possibility of being hacked is low.

In general, even if the news above is true, the hacker needs to know the password, which is an additional task, so I do not expect it to be used randomly.

Any way, you should store your coins in cold storage.

[NeuroticFish]

You don’t even need to open the document itself for the exploit to be set in motion.

This would be quite difficult. And from what I've seen in the YouTube video from @Rizzrack you do have to open it. (Thanks man, it's a very good video.)

Does this include all file extensions that are opened by Microsoft Office applications or just the extensions above?

This is a very good question.
Modern Word documents are zip files. But same goes, for example, to Excel files too. The malicious file is a cleverly altered Word document, but I don't see why the same thing would not work with any (zip) Office file.

But, as you can see at 7:39 there ( https://youtu.be/3ytqP1QvhUc?t=459 ), the hearth of everything is

Code:

<script>location.href = msdt:

where the hacker gives all sort of parameters to msdt exe, which runs them all without questioning (including, sooner or later, cab file/installer, they say).



For now I've removed that entry from my registry, but I fear that this is such a wide opportunity they'll very fast find other "servicing" programs they can run in a similar way.

[Smartvirus]

Is this doc, .docx or .rtf file supposedly the name of the document file in question? If not, any means by which we could identify such file or document?
Agina, having a system safety system up might be another to tackle the downloading and installation of applications from unknown source on your system.

It is preeminent that, users be careful of what app or file you click and download while browsing the Web. Not all assisted functions and updates on a site is needed. You never can possibly tell of an impending danger at all times and as such, its better you avoid what you don't tend to comprehend.

This further raises the alarm on why you shouldn't save your keys on electronic devices and even on Google clouds as, the chances of some malicious third party network coming up and provide some vulnerability to the system is always possible.

[DdmrDdmr]

Does this include all file extensions that are opened by Microsoft Office applications or just the extensions above?

Those are the ones I’ve seen explicitly referenced so far.

In general, even if the news above is true, the hacker needs to know the password, which is an additional task, so I do not expect it to be used randomly.

It seems that the password requirement for the MSDT can be bypassed by exploiting a given vulnerability.

<…>

The video brilliantly displays a case use created by @John to demonstrate how the exploit can be taken advantage of. He does open the word document in the video, but this tweet claims that it can be activated in preview mode on a file explorer, which is a soft open in a sense.

<…>

The issue is not really down to one file name, but rather more to the whole set of possibilities it opens.
We need to stay tuned to see what solutions are set in place, likely leading to some security upgrade on MS’s behalf.

[Lucius]

As stated in the OP, this vulnerability is not just about stealing Bitcoin but about any digital information you store on your computer - and it is known that private keys and seed should not be stored on a computer, especially not in unprotected form as plain text. At risk here are those who do not have high security standards and are negligent in most things they do - but since it is very easy to disable this attack, I see no reason why we should not prevent something bad from happening.

For those who have Windows in their local language and have never used Command Prompt, I suggest typing CMD into a Windows search engine, or translating Command Prompt into your local language before searching. Of course, copy the commands without quotes, and you can paste them by pressing CTRL + V.

[dkbit98]

Is it a real risk, or an exaggeration?

Using any microsoft programs like wiNd0ws os and ms office package with words is always a risk and they are known to be full of bugs, and most exploits work only in wiNd0ws.
Instead of doing various gymnastics to protect from next dangerous win exploit, it's much better to switch to Linux operating system and some alternative to ms words.
Most people are using Libre Office as open source alternative but if you want better compatibility with ms formats than I would suggest that you try OnlyOffice that is also free, and it works in all operating systems.

[ABCbits]

Is it a real risk, or an exaggeration?

It affect Windows 7-11 and Windows Server 2008-2022 with severity score 9.3[1], i'd say it's real risk. There are already reports hackers exploit that vulnerability[2-3], although i don't know whether it's true or propaganda.

[1] https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2022-30190
[2] https://www.securityweek.com/chinese-threat-actors-exploiting-follina-vulnerability
[3] https://techcrunch.com/2022/06/01/china-backed-hackers-are-exploiting-unpatched-microsoft-zero-day

[aysg76]

Question!

Should I disable it even though I do not have any Microsoft office/products installed? Also, on my desktop which was primarily used for academic purposes, I have tons of word documents created in MS word, am I already compromised?

Thanks for sharing by the way!

Not really if you haven't downloaded any of the malicious file from internet that could give them access to your files but for safety reasons if you have sensative information on those documents then uninstall it as the hackers are bypassing the security protocols through this vulnerability and have full access of your system environment which could be risky.

For this reason, the recommendations it offers are radical and begin with “discontinue use of Microsoft Word” until this vulnerability is removed. They also recommend not opening files with the extensions mentioned and preferring to use PDF or work with Google Docs.

As stated in the OP, this vulnerability is not just about stealing Bitcoin but about any digital information you store on your computer - and it is known that private keys and seed should not be stored on a computer, especially not in unprotected form as plain text. At risk here are those who do not have high security standards and are negligent in most things they do - but since it is very easy to disable this attack, I see no reason why we should not prevent something bad from happening.

Which is why it's said to backup them on offline storage like metal plates and steel washers are the best option as if anything is comprised your wallets seeds are not hacked and your funds are safe on non-custodial or hardware wallets but you must be extra cautious with them also as there have been security breaches and phising attempts in them also.

Those are the ones I’ve seen explicitly referenced so far.

Yeah according to the article thes file extensions are exploiting at the time with this vulnerability but without opening the document also is much risky as you could download these malicious files by mistake but keep an eye before clicking on any link or downloading the files on system.

It seems that the password requirement for the MSDT can be bypassed by exploiting a given vulnerability.

They already have buffer in order to have the remote access of any system to make changes of which the hackers are taking advantage and without any password they are having the access of the system.These are the things they need to have look upon and need to have some security breaches be possible with having one access control point with them always.

[Queentoshi]

The above caught my attention whilst reading an article on the Spanish Media, that literally stated that a Microsoft vulnerability could allow your bitcoins to be stolen.

Anything that poses a real threat to my bitcoin is not exaggerated to me and should not be taking lightly. Thank you so much for sharing this. Regardless of the fact that I don't have any crypto related documents on my computer, I will still go ahead to disable the MSDT URL protocol, because I may decide to start using it for crypto related activities in the future and may forget about this vulnerability, so I better do it now.

On the other hand, there don’t seem to be any reports of this exploit been used by hackers to date, either because the case is too fresh, or not that easy to become acquainted with and exploit.

This is fresh, but as you came across the article, so did others who may develop and seek to exploit others through this.

[Dunamisx]

The exploit seems to allow a hacker to take full control of your windows environment, simply by downloading a malicious .doc, .docx or .rtf file onto your environment

Downloading malware attack has been one of the unavoidable route of entry by the hackers to launch their attacks on users, we have many reasons that could prompt us on making download while surfing online but the security consciousness of our asset from the device used and the apps should be our major concern, how do we now get safe in doing this? in the link provided below, one must learn how to protect yourself against malware attack because most causes can be traced to our own personal lapses in the areas of what we do online in which could turn to be a surprise attack beyond our expectations.

[cryptoaddictchie]

This isnt good news. Thanks OP for relaying it here, Im sure its not gonna be easy for hackers and I supposed Microsoft have gotten the news and render any possible statement. Too bad the owner seems to not care on cryptocurrency stance.

Has anyone already been victim of the said issue? Been trying to check on social if there are already been compromise or stolen bitcoin or crypto for this case.

Needed to know what to do for my security.

[Pmalek]

This does not mean everyone who has office installed can be hacked in 2 seconds, luckily. You would need to download an infected .doc file and open it. Then you're screwed!

You don't necessarily have to open it. Previewing it is enough to run the script according to the twitter posts DdmrDdmr shared.
The same recommendations that have been repeated many times still apply in this case:

• Don't download unknown files from the internet.
• Don't even download files from friends and family without checking with them what it is that they are sending.
• Even if you know what it is, if it isn't essential to your work and life - you don't need it.
• Don't save your private information in digital formats on your computer or online accounts. That includes seeds and private keys.
• Keep your crypto away from your every-day computer. Keep your work away from your crypto and your every-day computer.
• If one of your computers gets infected, not everything you have and do will be considered to be compromised.

[LoyceV]

You don’t even need to open the document itself for the exploit to be set in motion. Apparently, a said malicious document can exploit MS Word template features, and execute external html or java code.

Lol, say what? A random file can get full access and all it has to do is being copied? How are people still using software from this very large corporation?
Who are those brave people using Bitcoin wallets on Windows? I don't even dare to enter my email password on it.

Keep your crypto away from your every-day computer. Keep your work away from your crypto and your every-day computer.

This is probably the best solution. If you really insist on using Windows, don't use it for crypto. Or banking. Or email. Or work. Eventually, you'll notice you don't use it at all anymore

To quote myself:

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

[Pmalek]

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

Like many others, I have to admit that I am guilty of that myself. Windows is all I have ever used since I was a child and I have gotten used to it so much. The thing is, if I had negative experiences, hacks, and stuff like that, I wouldn't hesitate to try something else. But I haven't. I am generally quite cautious and I use different devices for different things. Even stuff like USB devices don't get shared among my laptops. I treat almost all emails as spam and fraudulent and have no need to experiment with unknown software or even mobile apps.

Maybe when things calm down on a personal level I can take the time to start researching Linux and setting it up on one of my computers. I don't consider it a priority at the moment.   

[aysg76]

Like many others, I have to admit that I am guilty of that myself. Windows is all I have ever used since I was a child and I have gotten used to it so much. The thing is, if I had negative experiences, hacks, and stuff like that, I wouldn't hesitate to try something else. But I haven't. I am generally quite cautious and I use different devices for different things. Even stuff like USB devices don't get shared among my laptops. I treat almost all emails as spam and fraudulent and have no need to experiment with unknown software or even mobile apps.

Maybe when things calm down on a personal level I can take the time to start researching Linux and setting it up on one of my computers. I don't consider it a priority at the moment.   

Using Windows is not risky if you are taking all the precautionary steps like in your case but most of the people around globe use Windows only and if you check out the reports you will find most hacks and scams are done to window users only as it's not as good as Linux when it comes to security perspective.In your case the thing is different like you are not sharing any of the device plug ins and not having cryptos on your computer but for many they are storing funds on Metamask and download malicious files and click on links that made these hacks possible because they were ignorant enough to get their funds compromised.

So you can keep using the same if you are having this  much knowledge about the security and always keep your funds away from your system which is best possible option.