Follina. Unpatched Microsoft Office zero-day vulnerability exploited in the wild

Follina. Unpatched Microsoft Office zero-day vulnerability exploited in the wild

A zero-day vulnerability in Microsoft Office is being exploited in boobytrapped Word documents to remotely execute code on victims’ PCs.

The vulnerability, which is dubbed “Follina” and appears to exploit how Office products work with MSDT (Microsoft Diagnostics Tool), was initially brought to the public’s attention by Japanese security researchers on Twitter three days ago, and can be exploited even if macros are disabled in Microsoft Office.

It’s believed that the flaw was initially reported to Microsoft’s security response team on April 12 2022, after Word documents – which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview – were found to abuse the flaw.

Sputnik doc

Nine days later, Microsoft appears to have decided that the flaw didn’t not represent a security issue, and declared the issue closed.

Unfortunately, that seems to have been a poor decision by Microsoft’s security team.

Security researcher Kevin Beaumont reports that the vulnerability works on the latest versions of Microsoft Office, even when fully patched.

Sign up to our free newsletter.
Security news, advice, and tips.

Worryingly, it has also been found that it’s possible to exploit the vulnerability even in “zero click” situations, requiring no user interaction other than previewing a boobytrapped file.

The name “Follina” was chosen for the vulnerability by Beaumont after he spotted a sample of a malicious document uploaded to VirusTotal contained the numerical string “0438” as part of its filename. 0438 is the telephone area code for the municipality of Follina, northwest of Venice, in Italy.

Proof, if you ever needed it, that it can be hard coming up with the name of a vulnerability.

Organisations may be able to defend themselves from attack, while they wait for an official patch from Microsoft, by tweaking their computers’ Registry keys to unregister the ms-msdt protocol. Although, who knows what else that will break.

Anyway, it’s Memorial Day in the United States today. So I doubt many people are listening, let alone defending their computers from potential attack.

The good news is that, so far at least, exploitation of the flaw appears to be limited. Nonetheless, it would be good if Microsoft could fix this sooner rather than later.

For more information and possible mitigations, be sure to check out the blog posts by Kevin Beaumont and security firm Huntress.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.