The Follina vulnerability in Microsoft Office is still being exploited by criminals a month after a patch that supposedly fixed the problem was released by the company. Microsoft appeared to take further action as part of yesterday’s Patch Tuesday security update, but the vulnerability is likely to continue to be used by hackers, particularly state-sponsored groups.
Follina, a vulnerability in the MSDT protocol tool used by Office, was first uncovered in April, and gives criminals who exploit it the ability to run arbitrary code on an infected system, meaning it can be used to take control of those systems and deliver malware. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” says a post on Microsoft’s Security Response Center (MSRC). “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Microsoft waited two months to take action on Follina, releasing a patch as part of June’s Patch Tuesday. But though this tackles the way criminals can access systems, it does nothing to stop the execution of malicious code within Office. Analyst Kevin Beaumont, who coined the name Follina, said that “by not fixing how MS Protocol loads in Word templates and Outlook, the attack surface remains large meaning this issue will happen again.”
Following this month’s Patch Tuesday, Beaumont took to Twitter to report that updates released by Microsoft appear to be a step in the right direction.
The Follina vulnerability is still being exploited
Regardless of the effectiveness of the patch, the sheer number of Office 365 users creates a problem when combatting Follina. Microsoft’s last quarterly results reported there were 345 million paid commercial users of Office 365.
Bharat Mistry, technical director in the UK and Ireland and Trend Micro, says this alone means it is unlikely all systems are patched against the problem. “The community that uses Microsoft Office is huge, just about everyone uses it,” he says. “How quickly can people even patch?”
Last week, security company Fortinet reported that attackers have been using the Follina flaw to deploy Rozena malware via a link to gaming chat platform Discord. The malware opens a backdoor into infected systems. Ukrainian media organisations have also been targeted by Russian hackers exploiting the vulnerability since the initial patch was released.
Mistry believes the widespread impact of Follina means many other hacking gangs could be trying to exploit it. “I wouldn’t be surprised if state-sponsored groups have been using it to gather information for espionage,” he says.