Follina vulnerability: What you need to know about the new, unpatched MS Office flaw

Update: Microsoft has now patched the ‘Follina’ vulnerability as part of the June 2022 cumulative Windows update, so update machines as soon as possible

Stratia Cyber penetration tester Jordan Glover explains why the new MS Office flaw is a big problem – and what users can do about it

A new vulnerability in Microsoft Office means that unwary users can be infected easily from malicious documents – and is already being used by cybercriminals. 

Known as ‘Follina’, the CVE-2022-30190 vulnerability means that a malicious document can infect a user even with macro scripting switched off (cybercriminals often have to ‘trick’ users into switching macros on to make their attacks work).

The Follina vulnerability is a ‘zero day’, meaning it’s previously unknown, says Jordan Glover, Penetration Tester at Stratia Cyber. 

Glover says, ‘It’s a vulnerability that exploits the Microsoft support diagnostics tool. If you generate an error, or you come across a problem within Windows, it’ll prompt you to use that tool. The exploit itself can be leveraged using a Word document. The Word document will contain instructions that have the ability to force that Windows diagnostics tool to run commands on a user’s system. 

‘This gives the ability for an attacker to gain remote code execution on a system. Remote code execution is one of the highest rated vulnerabilities you can have – you can pretty much run any command you like on that system.’

The flaw has been used by cybercrime groups to deliver malware including information stealers and Remote Access Trojans (RATs). 

Cybersecurity vendor Kaspersky says that attacks using the Follina flaw are already targeting organisations in America, Russia, Brazil and India as well as some countries in Western Europe.

Glover says that the vulnerability is a ‘really, really big one’ and that Microsoft has still not supplied a patch. 

The vulnerability affects all versions of Windows and Office versions including Microsoft Office 365, Office 2013 to 2019, Office 2021, and Office ProPlus.

Glover says, ‘They’ve given a quick fix, which is to remove the diagnostics tool, which involves disabling the registry key.’

Glover says that anybody who uses Windows and Microsoft Office is potentially at risk – but attackers may ‘lean towards’ targeting organisations. 

Glover says, ‘The windows tool runs commands on whatever privileges that the user has. So if that tool was run as an administrator of a really large organisation, that attacker then has administrative privileges to be able to do whatever they like on the system. It makes total sense that hackers will use this exploit to go after big companies and wreak havoc with it.’

Glover says that although the exploit means that hackers don’t have to ‘trick’ victims into running Macros in a document, there are still basic steps any user can take to avoid infection. 

For the attack to work, you still need to open a file, Glover says. 

Glover says, ‘Whether you’re a business owner or an ordinary user, just be extra careful in the normal way you would be about cybersecurity.’

‘As security consultants, we always advise anybody that if something doesn’t look quite right, it’s probably not right. So if you receive an email from somebody and the spelling’s off, or it doesn’t make sense, it’s probably not right. 

We would always say, check who it’s from. Highlight the name on the email, because it might say, from John Smith, but when you look at the email itself, that could be a completely different email that will look very obvious that it’s malicious. 

‘Or you get a random email from finance, or HR, or anybody that you’re not really in daily communication with – question it, Criminals can impersonate users within your organisation. Be vigilant!’ 

Microsoft’s guidance about the vulnerability – along with instructions about how to disable the tool – can be found here