Microsoft has released a patch for a Windows vulnerability that is being actively exploited by hackers. Users on systems running Windows 7 and above have been advised to update their computers as soon as possible.
The security flaw — Follina (CVE-2022-30190) — lets hackers hijack computers through programmes such as Microsoft Word. The infected document enables attackers to execute PowerShell commands via the Microsoft Diagnostic Tool. The researchers suggest that the Follina zero-day vulnerability had hit Microsoft Office 2013 and later versions.
Security researchers have known of the threat since May, but Microsoft dismissed their initial findings, reports said.
Microsoft provides macros as instructions and commands for users to automate a task. However, the vulnerability enabled the attackers to process a similar automation without macros.
In an attack documented by Proofpoint, a security company, Chinese government-backed hackers sent malicious Word files to recipients in Tibet. When opened, the documents used the Follina exploit to take over the Microsoft Support Diagnostic Tool and executed commands to install programs, create new accounts, and access, change, or delete data stored on the computer.
The exploit was also used in phishing campaigns targeting government agencies in the United States and Europe.
| Follina zero-day vulnerability hits Microsoft Office, tech giant non-committal on timeline for fix
Nao_sec, a Tokyo-based cybersecurity research organisation, had also disclosed the vulnerability on Twitter. Security researcher Kevin Beaumont, after examining the Nao_sec research, wrote in his blog: “The document uses the Word remote template feature to retrieve a HTML file from a remote Web server, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.”
In its original warning, Microsoft offered workarounds to protect against it. However, the update — KB5014699 for Windows 10 and KB5014697 for Windows 11 — will eliminate the need for it.
“Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability,” Microsoft said.
“Customers whose systems are configured to receive automatic updates do not need to take any further action.”