Security News > 2022 > May > Zero-day vuln in Microsoft Office: 'Follina' will work even when macros are disabled
Infosec researchers have idenitied a zero-day code execution vulnerability in Microsoft's ubiquitous Office software.
Dubbed "Follina", the vulnerability has been floating around for a while and uses Office functionality to retrieve a HTML file which in turn makes use of the Microsoft Support Diagnostic Tool to run some code.
The Huntress post on the matter suggested users utilizing Microsoft Defender's Attack Surface Reduction rules could put the "Block all Office Applications from creating child processes" option into "Block mode."
An alternative suggested by vulnerability analyst Will Dormann would be to remove the file type association for ms-msdt to stop Office firing up the app.
"Detection," wrote Beaumont in a post on the subject, "Is probably not going to be great, as Word loads the malicious code from a remote template, so nothing in the Word document is actually malicious."
Interestingly, although Microsoft has yet to publicly acknowledge the issue, Beaumont noted that it appeared to have been fixed in the very latest Insider and Current versions of Office.
News URL
Related news
- Microsoft Office LTSC 2024 preview available for Windows, Mac (source)
- Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw (source)
- Microsoft patches two actively exploited zero-days (CVE-2024-29988, CVE-2024-26234) (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)
- May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040) (source)
- Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days (source)