Zero-Day ‘Follina’ Bug Lays Older Microsoft Office Versions Open to Attack. Malware loads itself from remote servers and bypasses Microsoft’s Defender AV scanner, according to reports.
Some comments online showed a possible workaround until a patch is released. Remove the protocol handler for ms-msdt (reg key delete)
Threatpost doesn’t seem to report any patches yet?
There are MS Defender Endpoint policies to block child processes being spawned. But yea, this was seen in the wild, not disclosed, so no patches yet.
Already observed in potential APT attacks I’m Belarus, and an RTF version can exploit a system by previewing the document in explorer.
ut yea, this was seen in the wild, not disclosed, so no patches yet
I read MS were made aware of this in April and deemed it not a security exploit
That’s right. Between this and coming to the same conclusion about the NTLM relay attack only to issue fixes after APT groups exploiting it, they really need to sit down and work through a new policy for what they consider a security issue.
Will this affect Microsoft 365 users who install the Office apps through Business subscriptions?
Yes, insider and current (not semi-annual latest but the newest builds) appear safe from the DOCx version, the RTF version works against all of them: Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar
Damn, thanks for the insight.
Wow this is huge.