Follina Bug Makes Microsoft Office Susceptible to Attack
Table of Contents
- By Steven
- Published: Jun 02, 2022
- Last Updated: Jun 02, 2022
A zero-day bug referred to as “Follina” sets the stage for outdated versions of Microsoft Office to be attacked. The malware is a significant threat as it loads itself on remote servers, bypassing the system’s scanner dubbed “Defender AV” and permitting the running of harmful code on computers. The code is run through a remote feature used in a Microsoft Word template. Let’s take a closer look at what the Follina bug is all about and why it is considered a legitimate problem.
Who Identified the Bug?
Nao Sec, a security vendor in Japan, identified the issue. The digital security specialist has since issued a warning about the Microsoft bug through Twitter. The warning was issued this past weekend. Kevin Beaumont with Nao Sec is responsible for giving the susceptibility its namesake. The name’s motivation for the code stems from the Italian city of Follina and its area code of 0438.
What Else is Known About the Flaw?
According to Beaumont, the weakness abuses the Microsoft Word remote template feature. The flaw is not completely reliant upon an exploit path that is macro-based. This characteristic is common in attacks that occur within Microsoft Office suite products. It is also interesting to note that Nao Sec reports one of the bug’s live samples was positioned within a template used for Microsoft Word, linking to an IP address. However, it is the address of the IP in question that is intriguing. The IP is traced back to the Republic of Belarus.
Will There be a Patch?
There might be a patch coming through the pipeline. However, in the meantime, Microsoft and digital security specialists are advising users to adhere to the Microsoft Attack Surface Reduction measures in an attempt to reduce risk. There is still some question about whether digital adversaries have taken advantage of the bug. Some reports indicate recent Office versions are susceptible to digital attacks. There are also some reports of supposed proof of concept code.
How Does the Infection Occur?
According to digital security professionals with Nao Sec, the infection path requires a template loading of an exploit through HTML files through remote servers. The “maldoc” in question transmitted via Belarus relies on an external link in Word to load HTML and execute a PowerShell. The MSProtocol URI scheme of ms-msdt loads part of the PowerShell code.
MSDT is short for Microsoft Support Diagnostic Tool. The tool is used for gathering information and transmitting it back to Microsoft’s Support team. The flaw permits the code to operate through MSDT even if macros are no longer enabled. It is also worth noting that Beaumont stated the exploit pertains to older Office versions instead of the latest version issued by the software giant.
Stay tuned as additional updates are released from Microsoft and Nao Sec, and other digital security specialists delving into the Follina bug. In the meantime, be sure to update your computer’s digital defenses to thwart any potential attacks.