Zero-day exploit ‘Follina’ makes older Microsoft Office Versions vulnerable

The Follina Vulnerability

Attackers are able to execute malicious code on targeted devices thanks to a zero-day vulnerability in the remote Word template that exists in Microsoft Office.

Follina Vulnerability

The Japanese security company Nao Sec is the one who issued the alert by tweeting about the zero-day vulnerability over the weekend. According to reports, the malicious software downloads itself from distant sites and evades detection by Microsoft’s Defender anti-virus scanner.

The Follina Exploit

Kevin Beaumont, a renowned security researcher, discovered the flaw and gave it the name “Follina”. He said that the zero-day code makes a reference to the 0438 area code of Follina, which is located in Italy. According to Beaumont, the vulnerability makes use of the remote template capability in Microsoft Word and does not rely on the normal macro-based exploit vector that is common inside Office-based attacks.

Follina Exploit 1024x405
The Follina exploit

A real example of the problem was reportedly discovered in a Word document template, and it leads to an internet protocol (IP) address located in the Republic of Belarus.

It is not known whether the zero-day flaw has been actively exploited by malicious parties. There are rumors, which have not been verified, that proof-of-concept code already exists and that more current versions of Microsoft Office are susceptible to attack. In the meantime, security experts have said that users may decrease the risk of being attacked by following the Microsoft Attack Surface Reduction measures rather than installing a patch.

Researchers from Nao Sec say that the malicious template loads an exploit from a remote site using a hypertext markup language (HTML) file. This is the path that leads to infection. The MSProtocol URI scheme known as “ms-msdt” is used by the HTML in order to load and run a portion of PowerShell code.

According to Beaumont’s findings, the vulnerability enables the code to execute via Microsoft Support Diagnostic Tool “even if macros are deactivated”. MSDT is a program that collects reports and information that is then sent to Microsoft Support. The information that has been obtained is then analyzed by this troubleshooting wizard and can be used to discover a solution to the issues that the user is having.

It was confirmed by Beaumont that the vulnerability is now impacting older versions of Microsoft Office 2013 and 2016, as well as the “missed execution” of malware on endpoint detection systems.

Didier Stevens, another security researcher, said that he exploited the Follina problem on a version of Office 2021 that had all of its patches installed.

Users of Microsoft who own E5 licenses have the ability to identify the vulnerability by attaching the endpoint query to Defender. In addition, Warren recommends making use of the Attack Surface Reduction (ASR) rules in order to prevent office programs from spawning child processes.


About the author


Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment