The researchers warned last over the weekend that a flaw in Microsoft’s support diagnostic tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary security measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthorized hacker could use this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft did not say when or if a patch for the vulnerability was coming, although the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment on the possibility of a fix when asked by WIRED yesterday.
The Follina vulnerability in a Windows support tool could easily be exploited by a specially crafted Word document. The decoy comes with a remote template that can extract a malicious HTML file and ultimately allow an attacker to execute Powershell commands on Windows. The researchers note that they would describe the bug as a “zero-day” or previously unknown vulnerability, but Microsoft has not classified it as such.
“Once public knowledge of the exploit grew, we started to see an immediate response from various attackers who started using it,” said Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been seen exploiting the loophole through malicious documents so far, researchers have discovered other methods, including the manipulation of HTML content in network traffic.
“While the malicious document approach is very troubling, the less documented methods by which the exploit can be triggered are troubling until they are fixed,” Hegel says. “I would expect opportunistic and targeted threats to exploit this vulnerability in a variety of ways when the option is available – it’s just too easy.”
The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. The primary mitigation offered by Microsoft involves disabling a specific protocol in the maintenance diagnostic tool and using Microsoft Defender Antivirus to monitor and block exploits.
But incident responders say more action is needed given how easy it is to exploit the vulnerability and how much malicious activity is being discovered.
