Return to list of client alerts
Researchers have discovered a vulnerability in Microsoft Office that is being called Follina. It uses the Microsoft diagnostic tools, MS-MSDT, to run a Powershell script. That Powershell script is used to download and execute arbitrary code.
Unfortunately, due to the way this works, the attack will be successful even if macros are disabled in Office.
This was discovered back in April and one researcher says that it is trivial to exploit.
Chinese-linked hackers are currently, actively, exploiting this flaw.
There are several ways to exploit this including the preview pane of Windows Explorer or by using hover over.
This attack even works with Office documents that are opened in read-only mode – where many functions are turned off.
The flaw is at least exploitable in Office 2013, 2016, 2019 and 2021. It works on Windows 7 or later and Windows Server 2008 or later.
The researcher says that it might not work in a beta version office, indicating that Microsoft may be working to fix it. Microsoft initially said it was not a security issue, but later closed the submission report with an impact of remote code execution, indicating they changed their mind.
One vulnerability analyst said that once you see it in the user interface, it is too late.
One bit of good news is that the attack runs at the same permission level as the user, a good reason to stop users from running as local or domain admins. Of course, you could combine it with a privilege escalation attack.
Microsoft is finally, at least, providing some guidance, including a Registry hack and a Microsoft Defender update ( 1.367.851.0) that will block some of the attack vectors, but typically, hackers read the Microsoft blogs too, and adapt.
Credit: Data Breach Today
Credit: The Register
Credit: Bleeping Computer
Credit: Tech Crunch
Credit: The Hacker News
Credit: Microsoft Research Center Blog