A new vulnerability in Microsoft Office has made headlines, but Avanan/Check Point customers are protected.
The vulnerability, dubbed "Follina", sees a Word doc using a remote template feature to retrieve an HTML file from a remote server and by using an ms-msdt MSProtocol URI scheme can execute a PowerShell.
This Remote Code Execution (RCE) could allow an attacker to remotely execute malicious code on a device. This can range from malware execution to someone gaining full control over a compromised machine.
Already, this vulnerability has been exploited by state actors.
Avanan/Check Point customers are protected
Using Threat Extraction, which delivers clean, threat-free files to users in real-time, any affected files--whether by Follina or something else--are sanitized on the fly. The original files are sent to the Threat Emulation sandbox and can be later retrieved by the user if they aren't malicious. On June 1st Check Point released New IPS Protections: Protection ‘Microsoft Support Diagnostic Tool Remote Code Execution (CVE-2022-30190)’ covers the vulnerability known as ‘Follina’.
Microsoft has released protection guidance and assigned CVE-2022-30190 to this vulnerability.
So if a customer is attacked with the Follina vulnerability, Threat Extraction would sanitize the affected file, and deliver a clean version to the user. The user would never see the Follina-affected file and thus is safe.
This video goes into more detail about how the process works:
And here's a bit more on Threat Extraction.
