Researchers have publicly revealed a zero-day vulnerability in Microsoft Office that can be exploited using malicious Word documents to enable code execution on a victim’s system.
The vulnerability was initially disclosed by @nao_sec via Twitter on May 27:
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” researcher Kevin Beaumont explains(Opens in a new window). “That should not be possible.”
Beaumont reports that attackers can exploit this vulnerability, which he’s dubbed “Follina,” even if Office macros are disabled. Office 2013, 2016, 2019, 2021, and some versions of Office included with a Microsoft 365 license are subject to this vulnerability on both Windows 10 and Windows 11.
Huntress Labs CEO Kyle Hanslovan has shared a proof of concept using a Rich Text File to exploit this vulnerability from the preview pane in Windows 11’s File Explorer:
All of which means this vulnerability provides a way to execute code on a target system with one click—or, as Hanslovan demonstrates, just by previewing the malicious document—using support tools (ms-msdt) and system administration tools (PowerShell) pre-installed on Windows.
Twitter user @crazyman_army says(Opens in a new window) they disclosed this vulnerability to Microsoft on April 12, but the company reportedly decided(Opens in a new window) it wasn’t a security issue on April 21.
Recommended by Our Editors
Beaumont says “Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere,” sometime in May.
Huntress Labs says(Opens in a new window) it expects “exploitation attempts in the wild through email-based delivery” and notes that people “should be especially vigilant about opening any attachments” while Microsoft, antivirus vendors, and the rest of the security community responds to this threat.
Microsoft didn’t immediately respond to a request for comment.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.