A zero-day vulnerability in Microsoft Office is being exploited in boobytrapped Word documents to remotely execute code on victims’ PCs.
The vulnerability, which is dubbed “Follina” and appears to exploit how Office products work with MSDT (Microsoft Diagnostics Tool), was initially brought to the public’s attention by Japanese security researchers on Twitter three days ago, and can be exploited even if macros are disabled in Microsoft Office.
It’s believed that the flaw was initially reported to Microsoft’s security response team on April 12 2022, after Word documents – which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview – were found to abuse the flaw.
Nine days later, Microsoft appears to have decided that the flaw didn’t not represent a security issue, and declared the issue closed.
Unfortunately, that seems to have been a poor decision by Microsoft’s security team.
Security researcher Kevin Beaumont reports that the vulnerability works on the latest versions of Microsoft Office, even when fully patched.
Worryingly, it has also been found that it’s possible to exploit the vulnerability even in “zero click” situations, requiring no user interaction other than previewing a boobytrapped file.
Okay, the preview pane one is pretty wild pic.twitter.com/RYtH9Bb4rm
— John Hammond (@_JohnHammond) May 30, 2022
The name “Follina” was chosen for the vulnerability by Beaumont after he spotted a sample of a malicious document uploaded to VirusTotal contained the numerical string “0438” as part of its filename. 0438 is the telephone area code for the municipality of Follina, northwest of Venice, in Italy.
Proof, if you ever needed it, that it can be hard coming up with the name of a vulnerability.
Organisations may be able to defend themselves from attack, while they wait for an official patch from Microsoft, by tweaking their computers’ Registry keys to unregister the ms-msdt
protocol. Although, who knows what else that will break.
Anyway, it’s Memorial Day in the United States today. So I doubt many people are listening, let alone defending their computers from potential attack.
The good news is that, so far at least, exploitation of the flaw appears to be limited. Nonetheless, it would be good if Microsoft could fix this sooner rather than later.
For more information and possible mitigations, be sure to check out the blog posts by Kevin Beaumont and security firm Huntress.