View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 9, 2022updated 10 Jun 2022 3:36pm

When will Microsoft patch the Follina Office 365 vulnerability?

The vulnerability is being exploited by hackers, but Microsoft is apparently not in a hurry to release a patch.

By Claudia Glover

A zero day vulnerability in Microsoft’s Office 365 software is not likely to be patched for at least another week, experts believe. The vulnerability, named Follina, is already being exploited by a host of hacking gangs, including state-sponsored groups and ransomware criminals.

Phone using Microsoft Office 365, which currently features the Follina vulnerability
A vulnerability in Office 365 – Follina – is being exploited by hackers. (Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Follina utilises a flaw in the Microsoft Diagnostic Tool (MSDT) to allow hackers to gain access to systems running Office 365 and launch remote code execution (RCE) attacks on those systems.

How is the Follina zero day being exploited?

The vulnerability was spotted last month, and hackers which successfully exploit it are free to access compromised systems “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” says a Microsoft blog on Follina.

The nature of the vulnerability means that malware can be uploaded easily, says Satya Gupta, founder and CTO of security company Virsec. “This vulnerability in MSDT affects not just Word but all Office 365 apps,” he says. “This event once again heavily underscores the power of RCE vulnerabilities as being the most dangerous vulnerabilities. Most enterprises don’t patch for days, weeks and sometimes even for months. This is great news for bad actors because RCEs give attackers a free pass to infiltrate the enterprise’s compute infrastructure.”

Earlier this week, researchers at ProofPoint said they had found evidence that Follina is now being exploited by prolific ransomware affiliate botnet Qbot.  

QBot is currently being used by the Black Basta ransomware group to launch bot-powered attacks, according to security company NCC group. “Qbot was the primary method used by the threat actor to maintain their presence on the [victim’s] network,” its research team said.

Content from our partners
Webinar - Top 3 Ways to Build Security into DevOps
Tech sector is making progress on diversity, but advances must accelerate
How to bolster finance functions and leverage tech to future-proof operational capabilities

ProofPoint said its team also believes Follina is being exploited by state-backed hackers, but has yet to ascertain which country they come from. Allan Liska, intelligence analyst at Recorded Future, says it is likely they are from China. “As with many zero day exploits, this started off being used by what are likely Chinese nation-state actors,” he says. “But as proof of concept code has been released, other cybercriminals have picked up on it and we are now seeing malware like Qbot using it to deliver ransomware and other malicious code.”

Will the Follina Office 365 vulnerability be patched by Microsoft?

Though Microsoft has released some work-arounds for the vulnerability, it has yet to deploy an official patch to combat it. It could do so during patch Tuesday – the monthly event which sees it release a tranche of updates for its systems – which takes place next week, but an Microsoft spokesman declined to say whether a patch will be forthcoming when questioned by Ars Technica on Monday.

If it doesn’t, Liska says the implications could be disastrous. “The number of samples discovered in the wild is relatively small, especially given the ease of exploitation and the readiness of exploit code,” he says. “But that won’t last. More and more cybercriminals will add this to their arsenal and exploitation reports will continue to rise. Hopefully, Microsoft does include a patch next Tuesday and we can see infections start to die off.” 

Read more: Windows Autopatch could spell the end for Patch Tuesday

Topics in this article: ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU