Follina Vulnerability – What is it?

June 5, 2022

Microsoft disclosed a Remote Code Execution (RCE) flaw in the Microsoft Support Diagnostic Tool (MSDT), which allows an attacker to exploit “Follina” by sending a URL to a vulnerable workstation. Successful exploitation allows the hacker to install software, read or alter data, and create new accounts using the user rights of the victim.

The Follina vulnerability is dangerous due to its ease of exploitation and execution: all that is necessary to exploit it is an Office or RTF file containing a hyperlink to a site that distributes the viral payload.

Office documents are currently only one of the numerous available entry points. It is possible to open a malicious document using the Windows Diagnostic Engine after loading an HTML file with web scripting commands such as Wget or Curl.

Returning to the infected document (which affects a bigger audience), the operation is quite ingenious. Either when the file is opened or when Windows Explorer previews it, the virus load included in the file is executed.

According to Microsoft, this vulnerability has been exploited in the wild and might allow an unauthenticated, remote attacker to take control of a susceptible system. The proof-of-concept code for the Follina vulnerability is available online and is incorporated into typical exploitation frameworks and tools.

Microsoft has stated that Protected View will protect users from these attacks, despite the fact that no remedy has been offered. Researchers observed that Protected View is overcome if the hacker provides the vulnerability as an RTF file and the preview of the file is seen in Explorer.

Microsoft and the cybersecurity community have devised workarounds and mitigation strategies despite the absence of official upgrades. Although security companies have enhanced their solutions to detect attacks, additional exploitation attempts are expected as more vulnerability information and proof-of-concept exploits become widely known.

The exploit is compatible with Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021, but there is evidence that Microsoft was working on a solution prior to its release. Numerous files that exploit the Follina Vulnerability have been discovered in the wild. Exploitation appears to have begun in April, with users in India and Russia being targeted by extortion and interview requests.

Users should consistently observe the following:

1. Never open a file sent by an unknown sender.

2. Unless absolutely necessary, do not disable protected mode for documents downloaded from the internet or via email.

3. Do not open.rtf files downloaded from the internet, not even in preview mode.

Sign up for CISSP Training immediately.

Call +1 416-471-4545,

Email: info@cybercert.ca

Sam Fareed

Lead Instructor qualified in CISSP, CCIE, and MCT with 25 years of training experience in Toronto.