Microsoft vulnerability being exploited, awaiting fix in industry

The "Follina" vulnerability, a zero-day threat in Microsoft Office, has raised alarm bells in the cybersecurity community. This potential exploit, if successfully executed, could cause significant global impacts.

According to Nikolas Cemerikic, any Office document that handles OLEObject relationships is potentially vulnerable to Follina. The most common method of delivering this vulnerability is through email campaigns with attached files.

Microsoft has yet to issue a patch for the Follina vulnerability, leaving many organizations and individuals at risk. The company has, however, warned that the vulnerability could allow an attacker to install programs, change or delete data, or create new accounts.

Researchers found and notified Microsoft about the Follina vulnerability in April, but the company did not initially consider the issue a security problem, according to researcher Kevin Beaumont. This delay in addressing the issue has extended the timeline of the vulnerability.

Multiple cybersecurity research groups and threat actors, including both ethical hackers and malicious entities, have made the Follina vulnerability exploitable. An advanced persistent threat (APT) actor, identified as TA413, is using URLs to deliver Zip archives with Word documents. TA413, linked to China, has in the past targeted dissidents linked to Tibet and European diplomatic and non-profit organizations.

The potential damage from the Follina vulnerability is significant and global, as stated by Johannes Ullrich. He notes that many organizations in both the public and private sectors are at risk due to the prevalence of needing to open attachments for business. Interestingly, users can potentially trigger the Follina exploit by previewing a document in Windows Explorer, without the need for a full download.

In theory, the Follina vulnerability could be exploited in other Office applications in the future, as stated by Cemerikic. This expanding scope of potential exploitation adds to the growing concern.

Recent updates in the Follina saga include a phishing campaign from a suspected state-aligned threat actor that Proofpoint researchers blocked on June 6, 2022. Additionally, on June 8, 2022, Proofpoint researchers reported that the TA570 threat actor is exploiting the Follina vulnerability (CVE-2022-30190) to deliver Qbot malware.

As the Follina vulnerability continues to pose a threat, it is crucial for users and organizations to remain vigilant and follow best practices for email safety and attachment handling.