A zero-day vulnerability in Microsoft Office has been discovered, allowing attackers to execute malware using a specially constructed Word file.
The security flaw, known as Follina, may affect users when they open a malicious Word document on their computer.
It allows attackers to use the Microsoft Diagnostic Tool to run PowerShell operations (MSDT). Experts say the Follina zero-day vulnerability affects Office 2013 and subsequent editions. Microsoft has yet to provide a remedy.
Last week, the Follina vulnerability affecting Microsoft Office was officially publicized on Twitter by Nao sec’s Tokyo-based cybersecurity research firm.
According to the researchers’ explanation, the flaw allows Microsoft Word to run malicious code through MSDT even when macros are disabled.
Macros are a set of commands and instructions that users may use to automate an operation in Microsoft Office.
On the other hand, the new vulnerability has allowed attackers to do comparable automation without the use of macros.
“The document utilizes the Word remote template functionality to obtain an HTML file from a remote Web server, which then uses the ms-msdt MSProtocol URI scheme to load some code and run some PowerShell,” says researcher Kevin Beaumont, who looked into the Nao sec problem. “That shouldn’t be feasible,” says the narrator.
Because the detected sample on the file refers to 0438, which is the area code of Follina, Italy, Beaumont has called the vulnerability “Follina.”
Some attackers are thought to have exploited the vulnerability in the wild.
According to Beaumont, a file exploiting the flaw was sent to a Russian user over a month ago.
Due to the problem, Microsoft Office versions such as Office 2013 and Office 2021 have been susceptible to assaults. According to the researchers, specific versions of Office supplied with a Microsoft 365 license might be targeted by attackers on both Windows 10 and Windows 11.
According to a security researcher on Twitter, Microsoft was notified about the vulnerability in April but did not consider it a security risk.
Microsoft, on the other hand, finally recognized the vulnerability on Monday. CVE-2022-30190 is the number assigned to it.
The Redmond business also offered various remedies in a post on the Microsoft Security Response Center blog, including the ability to deactivate the MSDT URL protocol and switch on the turn-on cloud-delivered protection and automated sample submission options on Microsoft Defender.
However, Microsoft has not yet specified a precise date for when the update will be available to Office customers.
Meanwhile, if you have a Windows PC with an impacted Office version, you may keep secure by avoiding opening any suspicious Microsoft Word documents.