Zero-day vulnerability found in Microsoft Office can allow attackers to execute code using a specially crafted Word document. The security issue — Follina — can hit users the moment they open the malicious Word file.
The infected document allows attackers to execute PowerShell commands using Microsoft Diagnostic Tool. Researchers suggest that the Follina zero-day vulnerability has impacted Office 2013 and later versions. Microsoft is yet to release a fix.
Nao_sec, a Tokyo-based cybersecurity research organisation, disclosed the Follina vulnerability on Twitter last week. According to their explanation, the issue was allowing Microsoft Word to execute a malicious code even if macros were disabled.
Microsoft provides macros as commands and instructions that users use to automate a task. However, the vulnerability has enabled attackers to process a similar automation without macros.
Researcher Kevin Beaumont, after examining the research by Nao_sec, wrote in his blog: “The document uses the Word remote template feature to retrieve a HTML file from a remote Web server, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.”
“That should not be possible.”
Beaumont named the vulnerability Follina since the file’s spotted sample references 0438, the area code for Follina in Italy.
Beaumont said a file exploiting the loophole targeted a user in Russia a month ago.
Microsoft Office versions such as Office 2013 and Office 2021 have been found to be vulnerable to attacks. Some versions included with a Microsoft 365 licence could also be targeted on both Windows 10 and 11.
Microsoft was initially informed about the vulnerability in April but the company did not consider it to be a security risk at the time, according to a security researcher on Twitter.
The software giant finally acknowledged the vulnerability on Monday. However, it is yet to provide a timeline on a fix for Office users.
