Microsoft Acknowledges ‘Follina’ Vulnerability Continues to Open Up Office for Attack

A Japanese security vendor has made the world aware that a zero-day vulnerability in Microsoft Office permits threat actors to run malicious code.

Dubbed “Follina” by security researcher Kevin Beaumont, Threatpost reported that the flaw in the Microsoft Support Diagnostic Tool (MSDT) is “abusing the remote template feature in Microsoft Word.” It is “not dependent on a typical macro-based exploit path, common within Office-based attacks.”

The vulnerability is prompted when an Office app like Word calls MSDT using the URL protocol, according to Microsoft.

“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights, the software giant wrote in a blog addressing the issue.

At least a month ago, India and Russia experienced attacks exploiting the Follina vulnerability. China-backed threat actors are currently exploiting the unpatched Microsoft Office zero-day flaw. Jai Vijayan at Channel Futures’ sister publication, Dark Reading, wrote that the vulnerability exists in Windows. It can be exploited via Microsoft Office versions 2013-2019, Office 2021, Office 365, and Office ProPlus.

Dark Reading reported that Microsoft may have delayed acknowledging the Follina vulnerability.

“Though the company’s advisory described the flaw as being publicly known and actively exploited, it did not describe the issue as a zero-day threat,” wrote Jai Vijayan, a Dark Reading contributor.

Microsoft didn’t respond to a query about when it first discovered the problem.

What Is Zero Day?

Researchers at Welivesecurity define zero-day as an unpatched vulnerability that is then used to carry out an attack. Zero days are used in malware to spread to and infect computers. The “zero” counts the number of days since a patch has been made available. Put otherwise, it’s a problem that hasn’t been fixed.

Why are zero-day vulnerabilities so appealing to threat actors? Simply put, it’s because the software bugs are exploited before a software vendor is aware of the flaw. And it’s been a record year for zero-day bugs. There were 58 documented zero days in 2021 compared to the 25 uncovered in 2020. Experts claim it’s impossible to track an accurate number of these exploits.