A new Microsoft Office zero-day security vulnerability allows adversaries to execute PowerShell commands via Microsoft Diagnostic Tool (MSDT) by opening a Word document. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system.
Security researcher Kevin Beaumont named the vulnerability “Follina” (the zero day code references the Italy-based area code of Follina – 0438) after discovering a malicious Word document that was uploaded to Google-owned VirusTotal on May 25 from an IP address in Belarus.
According to cybersecurity firm Huntress, users should be vigilant about opening any attachments and should be made aware that this exploit can be triggered with “a hover-preview of a downloaded file that does not require any clicks (post download).”
Bugcrowd Chief Technology Officer (CTO) Casey Ellis says the vulnerability appears trivially exploitable and very powerful/flexible in the security context of the logged-in user, given its ability to bypass Windows Defender. “It’s also particularly dangerous in that Microsoft Macro’s are the typical focus for code execution payloads via Microsoft Office products, so user awareness training on “Not Enabling Macros” doesn’t mitigate the risk,” he says.
Since the vulnerability was reported, Microsoft has reported active exploitation of this vulnerability in the wild and released a workaround, but not a patch.
The mitigations available are “messy workarounds that the industry hasn’t had time to study the impact of. They involve changing settings in the Windows Registry, which is serious business because an incorrect Registry entry could brick your machine,” says John Hammond, Senior Security Researcher at Huntress.
Cybersecurity firm Proofpoint said that a Chinese state-sponsored hacking group had been seen exploiting the zero-day in attacks on organizations associated with the Tibetan Government in Exile.
ColorTokens CTO Harisk Akali believes malicious actors have been exploiting Follina since April. The incident, Akali says, “underlines the importance of zero trust architecture and solutions based on that principle. Such an approach would only allow legitimate and approved network communication and processes on a computer.”