A severe Microsoft Office vulnerability has allowed attackers to execute code on target systems that bypass most security measures for at least a month. Researchers say this week’s Patch Tuesday has neutralized the vulnerability that state-backed hackers had exploited.
Testing performed by Sophos confirms that Tuesday’s KB5014699 Windows update neutralizes the Follina exploit, which allowed malicious Microsoft Word files to execute Powershell commands on target systems. The exploit affected Office 2013, 2016, 2019, 2021, and some versions of Microsoft 365 on Windows 10 and 11.
Follina worked through Microsoft Diagnostic Tool to retrieve an HTML file from a remote web server and then used ms-msdt MSProtocol Uniform Resource Identifier to run Powershell code. It was particularly dangerous because Windows Defender didn’t protect against it, and it didn’t need elevated privileges or Office macros to work. Even Office’s Protected Mode — designed to stop malicious code embedded in documents — couldn’t stop Follina. Users could trigger it by simply opening a compromised document in Windows Explorer’s preview pane.
Chinese hackers used the exploit against members of the Tibetan diaspora. Another attack in May targeted users in Belarus. Earlier this month, Proofpoint blocked a Follina attack targeting European Union and US local governments, which it suspects came from a state actor.
Researchers alerted Microsoft of Follina in April but initially, it didn’t consider the exploit a critical security threat — tracked as CVE-2022-30190. The KB5014699 update’s patch notes don’t mention Follina, but Sophos reports that further tests indicate the bug no longer works after installing the update.