Microsoft Office Impacted With 'Follina' Zero-Day Vulnerability: Researchers

Microsoft Office is found to have a zero-day vulnerability that can allow attackers to execute code using a specially crafted Word file. Called Follina, the security issue can impact users the moment they open the malicious Word document on their system. It enables attackers to execute PowerShell commands via Microsoft Diagnostic Tool (MSDT). Office 2013 and later versions are impacted by the Follina zero-day vulnerability, according to researchers. Microsoft has not yet brought its fix.

Tokyo-based cybersecurity research team Nao_sec publicly disclosed the Follina vulnerability impacting Microsoft Office on Twitter last week. Per the explanation provided by the researchers, the issue is allowing Microsoft Word to execute a malicious code via MSDT even if macros are disabled.

Microsoft provides macros as a series of commands and instructions that users can use to automate a particular task. However, the new vulnerability has enabled attackers to process a similar kind of automation, without using macros.

"The document uses the Word remote template feature to retrieve a HTML file from a remote Web server, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell," explains researcher Kevin Beaumont, who examined the issue raised by Nao_sec. "That should not be possible."

Beaumont has named the vulnerability "Follina" since the spotted sample on the file references 0438, which is the area code of Italy's Follina.

The vulnerability is believed to be exploited in the wild by some attackers.

Beaumont said that a file exploiting the loophole targeted a user in Russia over a month ago.

Microsoft Office versions including Office 2013 as well as Office 2021 are found to be vulnerable to attacks due to the issue. Some versions of Office included with a Microsoft 365 licence could also be targeted by attackers on both Windows 10 and Windows 11, the researchers have pointed out.

Initially, Microsoft was informed about the vulnerability in April, though the company did not consider it a security issue at the time, a security researcher on Twitter reports.

Microsoft, however, finally acknowledged the existence of the vulnerability on Monday. It is tracked as CVE-2022-30190.

In a post released on the Microsoft Security Response Center blog, the Redmond company also shared some workarounds, including the option to disable the MSDT URL protocol and turning on the turn-on cloud-delivered protection and automatic sample submission options on Microsoft Defender.

However, Microsoft has not yet provided an exact timeline on when we could see the fix coming for Office users.

Users, in the meantime, can stay safe by not opening any unknown Microsoft Word documents if they have an affected Office version on a Windows machine.