A zero-day bug called ‘Follina’ is actively exploiting installed versions of Microsoft Office.
The vulnerability has been spotted in the wild being used by Chinese hackers to target the Tibetan community. This flaw is about much more than just politics though.
It affects Office 2013 and 2016, installed versions only. As far as we can tell, Office 365 is not impacted.
The vulnerability was discovered last week by Japanese security company Nao Sec.
It uses the remote Word template feature within the office platform to potentially deliver malware through PowerShell.
The name ‘Follina’ apparently comes from the use of a four digit code within the malware that’s the same as the area code for Follina in Italy.
It works by using a hacked Word template to deliver a payload that uses the “ms-msdt” MSProtocol URL scheme.
This scheme is what is used to run the Microsoft Support Diagnostic Tool. Once instigated, the tool can be made to download an HTML file that can contain multiple types of malware.
As the code uses the Microsoft Support Diagnostic Tool, it is largely undetectable by Microsoft’s Protected View, which is supposed to prevent malware using this vector.
It also circumvents Windows Defender, which isn’t great either.
Microsoft have acknowledged the vulnerability but there is no fix as yet.
They said: “when MSDT is called using the URL protocol from a calling application such as Word.”
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
What can Follina malware do?
One annoying feature of Follina is that it can deliver any malware payload to a computer.
Once the Word template has been installed, a file within it contacts a remote server and can download all manner of malware types.
That Chinese incident mentioned at the top downloaded infostealers but in theory, it could be any type of file.
What can you do about Follina?
Right now, you have two options if you’re concerned about the risk. You can stop using Office 2013 or 2016 or disable the ms-msdt function on your computer.
Microsoft is actually recommending the latter until they fix the issue.
Open a command line window as an administrator and type ‘reg delete HKEY_CLASSES_ROOT\ms-msdt /f’. Hit Enter to execute the command.
The command disables the Microsoft Support Diagnostic Tool so the malware cannot load PowerShell to perform its work.
It’s a temporary workaround but one that is thought to be effective against this specific threat.
Otherwise, stop using Office 2013 or 2016 and begin using Office 365 instead! Speak to our team if you’re concerned about your systems and we’ll be happy to help.