![](\"https:\/\/media.wired.com\/photos\/629807ff0b696b70815a79d8\/master\/pass\/Microsoft-Zero-Day-Vulnerability-Security-GettyImages-1289940352.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Fri, 03 Jun 2022 14:14:30 +0000<\/strong><\/p>\n Lily Hay Newman<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Researchers warned last<\/span> weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance<\/a> on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned<\/a> that \u201ca remote, unauthenticated attacker could exploit this vulnerability,\u201d known as Follina, \u201cto take control of an affected system.\u201d But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED yesterday.<\/p>\n The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands<\/a> within Windows. Researchers note that they would describe the bug as a \u201czero-day,\u201d or previously unknown vulnerability, but Microsoft has not classified it as such.<\/p>\n \u201cAfter public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,\u201d says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic.<\/p>\n \u00a0\u201cWhile the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,\u201d Hegel says. \u201cI would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available\u2014it\u2019s just too easy.\u201d\u00a0<\/p>\n The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.\u00a0<\/p>\n But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.\u00a0<\/p>\n \u201cWe are seeing a variety of APT actors incorporate this technique into longer infection chains that utilize the Follina vulnerability," says Michael Raggi, a staff threat researcher at the security firm Proofpoint who focuses on Chinese government-backed hackers. "For instance, on May 30, 2022, we observed Chinese APT actor TA413 send a malicious URL in an email which impersonated the Central Tibetan Administration. Different actors are slotting in the Follina-related files at different stages of their infection chain, depending on their preexisting toolkit and deployed tactics.\u201d<\/p>\n Researchers have also seen<\/a> malicious documents exploiting<\/a> Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020<\/a>, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in<\/a>.<\/p>\n \u201cProofpoint has identified a variety of actors incorporating the Follina vulnerability within phishing campaigns," says Sherrod DeGrippo, Proofpoint's vice president of threat research.<\/p>\n With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk.\u00a0<\/p>\n \u201cSecurity teams could view Microsoft\u2019s nonchalant approach as a sign that this is \u2018just another vulnerability,\u2019 which it most certainly is not,\u201d says Jake Williams, director of cyber threat intelligence at the security firm Scythe. \u201cIt\u2019s not clear why Microsoft continues to downplay this vulnerability, especially while it\u2019s being actively exploited in the wild.\u201d<\/p>\n