follina zero day

Worried about fraud, employers are shifting to authentication technologies that are both secure and user-friendly. But there’s a catch.

Adversaries are actively exploiting a readily exploitable vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows, allowing them to execute remote code from Office documents even when macros are turned off.

According to security experts that have looked at the problem, it exists in all currently supported Windows versions. It may be triggered by Microsoft Office programs launched in 2013 through 2019, Office 2021, Office 365, and Office ProPlus.

Windows systems running a vulnerable version of the Microsoft Office software may be exploited by attackers who use a zero-day flaw called “Follina.” It allows attackers to remotely execute arbitrary code on Windows systems. Microsoft has warned about the problem, giving attackers access to “install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.” 

The vulnerability is particularly problematic because it affects all currently supported Windows versions. This means that many users and organizations may be impacted by this flaw.

To exploit the flaw, attackers would create a specially crafted Office document that, when opened, would run a malicious program on the victim’s machine. The document could be sent as an email attachment or hosted on a website.

“The attacker could then use this access to install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in its advisory. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”

Microsoft has not yet released a patch for the flaw, but it said that it is working on a fix and will release it “as soon as possible.” In the meantime, it has published guidance on mitigating the problem.

“We recommend that users and administrators follow the guidance in our advisory and apply the mitigations to help protect against attacks,” Microsoft said. “We also encourage users and administrators to review our guidance for disabling macros and take action to disable macros in Office files.”

Potential Impact

The flaw could be used to access a victim’s machine, install programs, view or change data, or create new accounts. The attacker could then use this access to take control of the system.

The MSDT vulnerability, on its own, isn’t extremely critical. However, as it may be triggered by Microsoft Office is cause for concern. This makes it much more dangerous, as many organizations have Microsoft Office installed on their computers.

The fact that this flaw exists in all currently supported versions of Windows is also worrying, as it means that many users and organizations may be impacted by this flaw.