As we conclude the month of May, we have another zero-day vulnerability to report. This vulnerability is a zero-click remote code execution vulnerability utilizing Microsoft Diagnostic Tool and the Microsoft Office Utilities. The vulnerability is primarily exploited by Microsoft Word documents, but can be accessed by any of the Office applications. Email-based delivery will be the main attack vector used by malicious actors to deliver this cruel code execution to their victims.
It is important to mention that this was originally posted by @nao_sec on Twitter. Our partners, Huntress, have verified and replicated this exploit, which is detailed in their technical blog post.
To summarize the vulnerability, in Microsoft Word, you are asked to select "Enable Content" or "Enable Saving" when you open the document. By selecting these options, the malicious process can be spawned. Huntress has discovered that this code can be executed upon simply opening the file without any other actions, which makes this Zero-Click that much worse. Microsoft does not yet have any mitigations that have been fully tested or verified, and there is no patch available at the time of writing this (May 31, 2022 @ 11:00AM).
We strongly advise all our clients and readers to be vigilant and not open any Word documents you receive via email (or any other source) without verifying the sender first. Please ensure that even if the person is legitimate, the document you receive is an expected attachment until we have a patch in place. We appreciate your cooperation and understanding.