Microsoft Quietly Patches ‘Follina’ Zero-Day Vulnerability – PCMag

UPDATE: 6/15: Microsoft released its latest round of security patches (Patch Tuesday) this week, and with it quietly fixed CVE-2022-30190, better known as Follina.

I say quietly because, as security vendor Sophos points out(Opens in a new window), Microsoft didn’t bother to list the fix in its patch notes. However, the Microsoft MSRC page(Opens in a new window) for the vulnerability does confirm an update was added on June 14.

That’s very good news, especially considering Follina was already being exploited(Opens in a new window) in the wild by China-backed hackers.


Original Story 5/30:
Researchers have publicly revealed a zero-day vulnerability in Microsoft Office that can be exploited using malicious Word documents to enable code execution on a victim’s system.

The vulnerability was initially disclosed by @nao_sec via Twitter on May 27:

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” researcher Kevin Beaumont explains(Opens in a new window). “That should not be possible.”

Beaumont reports that attackers can exploit this vulnerability, which he’s dubbed “Follina,” even if Office macros are disabled. Office 2013, 2016, 2019, 2021, and some versions of Office included with a Microsoft 365 license are subject to this vulnerability on both Windows 10 and Windows 11.

Huntress Labs CEO Kyle Hanslovan has shared a proof of concept using a Rich Text File to exploit this vulnerability from the preview pane in Windows 11’s File Explorer:

All of which means this vulnerability provides a way to execute code on a target system with one click—or, as Hanslovan demonstrates, just by previewing the malicious document—using support tools (ms-msdt) and system administration tools (PowerShell) pre-installed on Windows.

Twitter user @crazyman_army says(Opens in a new window) they disclosed this vulnerability to Microsoft on April 12, but the company reportedly decided(Opens in a new window) it wasn’t a security issue on April 21.

Beaumont says “Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere,” sometime in May.

Huntress Labs says(Opens in a new window) it expects “exploitation attempts in the wild through email-based delivery” and notes that people “should be especially vigilant about opening any attachments” while Microsoft, antivirus vendors, and the rest of the security community responds to this threat.

Microsoft didn’t immediately respond to a request for comment.

<div x-data="window.newsletters()" x-init="initNewsletter({"id":5,"list_id":17707707,"status":"Published","title":"SecurityWatch","deck":"Our experts keep you safe from malware, viruses, hacks, and privacy exploits by keeping you current on the latest vulnerabilities.","slug":"securitywatch","courier_list":"PCMag Security Watch","image":{"path":"newsletters\/17707707.jpg","metadata":{"alt_text":"Newsletter image"}},"preview_link":"https:\/\/secure.campaigner.com\/csb\/Public\/show\/g6xi-2fbk9l–vmbga-b5ekdoe7","contextual_title":"Like What You're Reading?","contextual_deck":"Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2022-03-24T14:57:33.000000Z","last_published_at":"2022-03-24T14:57:28.000000Z","created_at":null,"updated_at":"2022-03-24T14:57:33.000000Z"})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Get Microsoft Office and Learn How to Use It for Just $70 – Entrepreneur

Next Post

One of our favorite Microsoft Word features is coming to the web app – Techradar

Related Posts