Follina. Unpatched Microsoft Office zero-day vulnerability exploited in the wild • Graham Cluley

A zero-day vulnerability in Microsoft Office is being exploited in boobytrapped Word documents to remotely execute code on victims’ PCs.

The vulnerability, dubbed “Follina,” which appears to exploit how Office products work with MSDT (Microsoft Diagnostics Tool), was initially brought to the public’s attention by Japanese security researchers on Twitter three days ago, and can be exploited even if macros are disabled in Microsoft Office.

It is believed that the flaw was initially reported to Microsoft’s security response team on April 12 2022, after Word documents which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview were found to abuse the flaw.

Nine days later, Microsoft appears to have decided that the flaw did not represent a security issue, and declared the issue closed.

Unfortunately, that seems to have been a poor decision by Microsoft’s security team.

Security researcher Kevin Beaumont reports that the vulnerability works on the latest versions of Microsoft Office, even when fully patched.

Sign up to our newsletter
Security news, advice, and tips.

Worryingly, it has also been found that it is possible to exploit the vulnerability even in “zero click” situations, requiring no user interaction other than previewing a boobytrapped file.

The name “Follina” was chosen for the vulnerability by Beaumont after he spotted a sample of a malicious document uploaded to VirusTotal contained the numerical string “0438” as part of its filename. 0438 is the telephone area code for the municipality of Follina, northwest of Venice, in Italy.

Proof, if you ever needed it, that it can be hard coming up with the name of a vulnerability.

Organizations may be able to defend themselves from attack, while they wait for an official patch from Microsoft, by tweaking their computers’ Registry keys to unregister the ms-msdt protocol. Although, who knows what else that will break.

Anyway, it’s Memorial Day in the United States today. So I doubt many people are listening, let alone defending their computers from potential attack.

The good news is that, so far at least, exploitation of the flaw appears to be limited. Nonetheless, it would be good if Microsoft could fix this sooner rather than later.

For more information and possible mitigations, be sure to check out the blog posts by Kevin Beaumont and security firm Huntress.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluleyor drop him an email.

Source

A zero-day vulnerability in Microsoft Office is being exploited in boobytrapped Word documents to remotely execute code on victims’ PCs.

The vulnerability, dubbed “Follina,” which appears to exploit how Office products work with MSDT (Microsoft Diagnostics Tool), was initially brought to the public’s attention by Japanese security researchers on Twitter three days ago, and can be exploited even if macros are disabled in Microsoft Office.

It is believed that the flaw was initially reported to Microsoft’s security response team on April 12 2022, after Word documents which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview were found to abuse the flaw.

Nine days later, Microsoft appears to have decided that the flaw did not represent a security issue, and declared the issue closed.

Unfortunately, that seems to have been a poor decision by Microsoft’s security team.

Security researcher Kevin Beaumont reports that the vulnerability works on the latest versions of Microsoft Office, even when fully patched.

Sign up to our newsletter
Security news, advice, and tips.

Worryingly, it has also been found that it is possible to exploit the vulnerability even in “zero click” situations, requiring no user interaction other than previewing a boobytrapped file.

The name “Follina” was chosen for the vulnerability by Beaumont after he spotted a sample of a malicious document uploaded to VirusTotal contained the numerical string “0438” as part of its filename. 0438 is the telephone area code for the municipality of Follina, northwest of Venice, in Italy.

Proof, if you ever needed it, that it can be hard coming up with the name of a vulnerability.

Organizations may be able to defend themselves from attack, while they wait for an official patch from Microsoft, by tweaking their computers’ Registry keys to unregister the ms-msdt protocol. Although, who knows what else that will break.

Anyway, it’s Memorial Day in the United States today. So I doubt many people are listening, let alone defending their computers from potential attack.

The good news is that, so far at least, exploitation of the flaw appears to be limited. Nonetheless, it would be good if Microsoft could fix this sooner rather than later.

For more information and possible mitigations, be sure to check out the blog posts by Kevin Beaumont and security firm Huntress.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluleyor drop him an email.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Threat Intelligence Services Are Universally Valued by IT Staff

Almost all IT professionals believe that threat intelligence services and feeds will help their company get ready for and repulse malware attacks. Only...

Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 businesses from English speaking countries since April 2022. ...

APAC companies are failing to build successful digital models: Forrester

Approximately 61% of APAC organizations have failed to build robust and successful digital business business models, primarily due to unsound practices of enterprise architecture...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!