New Follina zero-day vulnerability in Microsoft Office works even with macros disabled

Tudor Cibean

Posts: 143   +9
Staff
In a nutshell: Follina doesn't require elevated privileges or Office macros to be enabled, and it doesn't get detected by Windows Defender. It works on most fully-updated Office versions and operating systems, with researchers pointing out that it can be exploited even if a user selects a malicious file in Windows Explorer.

Researchers have just revealed a new zero-day vulnerability in Microsoft Office, which the infosec community has dubbed Follina. It allows attackers to execute Powershell commands via Microsoft Diagnostic Tool (MSDT) once a malicious Word document is opened.

What makes this vulnerability especially dangerous is that it completely bypasses Windows Defender detection, works without elevated privileges and doesn't require Office macros to be enabled. So far, it's been confirmed to be present in Office 2013, 2016, 2019, 2021, and a few versions included with a Microsoft 365 license on both Windows 10 and 11.

As Kevin Beaumont explains, a malicious document uses the Word remote template feature to retrieve an HTML file from a remote web server. This, in turn, uses the ms-msdt MSProtocol Uniform Resource Identifier (URI) scheme to execute code in Powershell.

Protected View, a feature that alerts users of files from potentially unsafe locations, does activate and flag the document as potentially malicious. However, by converting the document to a Rich Text Format (RTF) file, the vulnerability can be exploited simply by selecting the file (without opening it) if Windows Explorer's preview pane option is enabled.

Interestingly, Microsoft was informed of this vulnerability in April, yet it decided to dismiss it as the company couldn't replicate it.

Huntress Labs, a cybersecurity company, says it expects attackers to exploit Follina through email-based delivery and warns people to be vigilant about opening any attachments until the vulnerability gets patched.

Permalink to story.