There is still no patch for an actively exploited Microsoft 0-day bug


There is still no patch for an actively exploited Microsoft 0-day bug

There is still no patch for an actively exploited Microsoft 0-day bug

mturhanlar | Getty Images

Researchers warned last weekend that a flaw in Microsoft’s support diagnostic tool could be exploited by using malicious Word documents to remotely take control of target devices. Microsoft released guidance Monday, including temporary mitigation measures. As of Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft declined to say when or if a patch for the vulnerability is coming, although the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment on the possibility of a patch at the request of WIRED.

The Follina vulnerability in a Windows support tool can be easily exploited through a specially crafted Word document. The decoy comes equipped with a remote template that can fetch a malicious HTML file and ultimately allow an attacker to run Powershell commands in Windows. Researchers note that they would label the flaw a “zero-day” or previously unknown vulnerability, but Microsoft has not classified it as such.

“As public awareness of the exploit increased, we saw an immediate response from a variety of attackers who began using it,” said Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents, researchers have also discovered other methods, including manipulating HTML content in network traffic.

“While the approach of malicious documents is very concerning, the less documented methods by which the exploit can be triggered are concerning until they are patched,” says Hegel. “I would expect opportunistic and well-targeted threat actors to exploit this vulnerability in a variety of ways when the option is available – it’s just too easy.”

The vulnerability is present in all supported versions of Windows and can be exploited via Microsoft Office 365, Office 2013 to 2019, Office 2021 and Office ProPlus. The main mitigation suggested by Microsoft is to disable a specific protocol in the support diagnostic tool and use Microsoft Defender Antivirus to monitor and block exploitation.

But incident responders say further action is needed given the ease of exploitation of the vulnerability and how much malicious activity is detected.

“We’re seeing a variety of APT actors embed this technique into longer infection chains that exploit the Follina vulnerability,” says Michael Raggi, a threat researcher at security firm Proofpoint, who focuses on Chinese government-backed hackers On May 30 In 2022, we observed Chinese APT actor TA413 sending a malicious URL in an email impersonating the Tibetan Central Administration. Different actors insert the Follina-related files at different stages in their infection chain, depending on the toolkit they already have in place and the tactics employed.”

Researchers have too seen harmful documents exploit Follina with destinations in Russia, India, the Philippines, Belarus and Nepal. An undergraduate student first noticed the bug in August 2020, but it was first reported to Microsoft on April 21. The researchers also found that Follina hacks are particularly useful for attackers because they can come from malicious documents without having to rely on macros, the much-abused Office document feature that Microsoft has worked to contain.

“Proofpoint has identified a variety of actors who have integrated the Follina vulnerability into phishing campaigns,” said Sherrod DeGrippo, vice president of threat research at Proofpoint.

With all this real-world exploitation, the question arises as to whether the guidance Microsoft has released so far is reasonable and commensurate with the risk.

“Security teams might take Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability,’ which it most certainly is not,” says Jake Williams, director of cyber threat intelligence at security firm Scythe. “It is not clear why Microsoft continues to downplay this vulnerability, especially when it is actively exploited in the wild.”

This story originally appeared on

You May Also Like