Follina - a new vulnerability in Microsoft Office

A new, unusual vulnerability has just appeared earlier this week. Until now, in the majority of cases, it was enough to have macros disabled to deal with infected Microsoft Office files. However, it is not the case with Follina vulnerability that works completely differently - you just need to open a text file to run a dangerous script. Since there is no patch available for it yet, here’s everything you need to know to take some security measures.

Follina is a newly-found vulnerability that initially was identified as a zero-day vulnerability, but then, it turned out that, it also affects MSDT (Microsoft Support Diagnostic Tool). In fact, it is a RCE (remote code execution) vulnerability. It was reported on May 27, 2022. The name Follina derives from the fact that the last part of the numeric sequence (05-2022-0438.doc) that was found in the infected Word file, happens to be the code for Follina - a muncipality in northern Italy.

It is said that Microsoft was aware of the vulnerability since early spring but classified it at first as “not a security related issue”.

The vulnerability is being exploited in the wild via infected Word files. Contrary to other document-based exploits, this kind of attack does not involve macros, and the malicious code works also when macros are disabled. The bad news is that there is no patch available yet to fix this flaw since it is still under development.

The attacker can exploit this vulnerability to take control of an affected system. The possible scenario is that a malicious Office file is somehow delivered to the victim. Once it gets opened up, it allows the hacker to install some programs, view and change data, or even create new accounts without the user’s permission. Unfortunately, it doesn’t even need enabling macros.

During the attack, the hacker gains privileges of MSDT. MSDT is an application for collecting diagnostic information and notifying Microsoft about the problems that emerge. The malicious file retrieves a HTML file that in turn, activates the ms-msdt MS Protocol. This is how the MSDT is launched and it may execute any code in PowerShell.

Obviously, the best protection measure would be an update, however, it hasn’t been released yet. As a temporary remedy, Microsoft released a workaround guidance for Follina. In the next article, we will show you how you can protect your organization against this vulnerability with Axence nVision. Stay tuned!