Meet Follina. She’s an online bug or vulnerability that lets attackers run malicious code remotely to manipulate a user’s programs and data. And she’s got her hands on Microsoft.
Discovery of Follina
The vulnerability, known as a remote code execution (RCE) vulnerability, was discovered in the Microsoft Support Diagnostics Tool (MSDT) on May 27 of this year. It was found lurking in a Microsoft Word document thanks to the VirusTotal virus scanning tool. After some further research from Microsoft, it turns out that the vulnerability was also reported back in April, with a more recent remote code execution vulnerability reported targeting the US and European government employees as well as a major telecoms provider here in Australia. We don’t see which company was hacked, so it looks like they’re keeping it pretty under wraps.
Risk of vulnerability
Microsoft said of Follina (which, by the way, is named after an Italian village that shares an area code with the vulnerability reference number):
An attacker who exploits this vulnerability could run code with the privileges of the calling application. The attacker can then install programs, view, change or delete data, or create new accounts in the context allowed by user rights. ”
Follina has been designated as “critical” by the Australian Government’s Cyber Security Centre. The ACSC also said it is aware that the vulnerability targets local Australian organizations.
Any patches?
When the bug was first discovered, Microsoft reportedly labeled it a “security-related issue.” However, they later said that the problem had been fixed, although they did not announce an official fix.
However, Microsoft recently released a patch to protect users from Follina once and for all. Their June 14 Windows security update included fixes for the vulnerability, and users are advised to install the updates to plug the Follina vulnerability. If your system is set to update automatically, you’re good to go – you shouldn’t have to do anything.
As a further helping hand, Microsoft released a list of its products that were affected by Follina. If you use any of these products, please install the June updates as soon as possible.
Who is Affected by Follina?
Follina affects various Microsoft products, including Office suite 2013, 2016, 2019, and 2021 applications, and some versions of Office included a Microsoft 365 license installed on Windows desktop PCs and servers since 2007.
Due to Microsoft Office’s status as the most popular business productivity software in the world, the expected impact is high and global in scope, affecting most personal and corporate computing environments. Office applications are vulnerable to Follina even with Office VBA macros turned off, further increasing the scope of potential victims. Because Follina is simple to exploit, even a novice attacker could take remote control of systems, and publicly available proofs-of-concept make accessing or creating Follina malware easy.
How bad is Follina?
Follina is a high-severity security vulnerability considered trivial to exploit and can lead to remote code execution (RCE). Follina does require user interaction to achieve payload execution, but this can be achieved by tricking a victim into opening a malicious document or link delivered via email or social media.
Once a document containing Follina malware has been opened, RCE with the system permissions level of the compromised Office application is possible. Once the attacker has RCE at user-level permissions, they can exploit any user applications, destroy or ransom documents, or redirect their attack tactic to escalate privileges, seeking to obtain complete system admin privileges and pivot to compromise more valuable targets within the victim’s network environment.
How to Protect Against Follina?
Microsoft initially published a temporary workaround for Follina that prevents a successful attack via known vectors. The first officially prescribed fix was to disable the MSDT protocol in the Windows operating system. Since then, Microsoft has released Windows updates that prevent the MSDT protocol from automatically executing attacker-supplied code. But organizations should also employ user awareness training programs to better educate staff about how to identify phishing attacks.
FAQ
What is the Follina vulnerability?
Follina is a high-severity vulnerability discovered in the Microsoft Office suite of products that are considered trivial to exploit and can lead to remote code execution by an attacker. It affects Microsoft Office 2013, 2016, 2019, and 2021 (and some versions of Office included with a Microsoft 365 license) installed on all Windows desktop and server versions since 2007.
Follina payloads can be delivered remotely through the opening of an infected document; malware executed via Follina can perform a wide range of malicious activity on the victim’s device, from stealing banking credentials to locking up systems and demanding a ransom to exfiltrating sensitive information, such as personal, medical, or financial data.
How do I protect against Follina?
The first officially available remediation was to disable the MSDT protocol altogether, but Microsoft has since released updates to Windows that will prevent the MSDT protocol from automatically executing attacker-supplied code. Implementing the initial workaround fix and installing Windows updates is highly recommended.