A flaw in Microsoft’s Support Diagnostic Tool could be exploited using malicious word documents to take over a user’s device. The United States Cybersecurity and Infrastructure Security Agency released a warning that “a remote, unauthenticated attacker could exploit this vulnerability, to take control of an affected system.” The vulnerability – known as “Follina” – does not yet have a patch. Microsoft would not say whether a patch was coming, but they did acknowledge that the flaw was being actively exploited by attackers in the wild.

The Follina vulnerability in a Windows support tool can be exploited by a specially crafted Word document. A remote template can retrieve a malicious HTML file and allow an attacker to execute Powershell commands within Windows. Researchers are calling this vulnerability “zero-day”, or a previously unknown vulnerability, but Microsoft itself has not classified it as this.

“After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,” says Tom Hegel, senior threat researcher at security firm SentinelOne. He also noted that while attackers have primarily been observed exploiting the flaw through malicious documents to this point, researchers have discovered other ways to exploit the vulnerability, including the manipulation of the HTML content in the network traffic.

“While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available – it’s just too easy.”

The Follina vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. As of right now, Microsoft’s recommendations to mitigate this threat is to disable a specific protocol within the Support Diagnostic Tool and to use Microsoft Defender Antivirus to monitor for and block exploitation.

Researchers say that much more is needed to stop this vulnerability though, given how easy it has been to exploit and how much malicious activity is being detected.

“We are seeing a variety of APT actors incorporate this technique into longer infection chains that utilize the Follina vulnerability,” says Michael Raggi, a staff threat researcher at the security firm Proofpoint. “For instance, on May 30, 2022, we observed Chinese APT actor TA413 send a malicious URL in an email which impersonated the Central Tibetan Administration. Different actors are slotting in the Follina-related files at different stages of their infection chain, depending on their preexisting toolkit and deployed tactics.”

Researchers have also seen Follina being exploited with targets in Russian, India, the Philippines, Belarus and Nepal. Researchers also noted that Follina hacks are useful to attackers because they can originate from a malicious document without having to rely Macros.

“Proofpoint has identified a variety of actors incorporating the Follina vulnerability within phishing campaigns,” says Sherrod DeGrippo, Proofpoint’s vice president threat research.

So, is the guidance that Microsoft proposed to defend against Follina enough?

“Security teams could view Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability,’ which it most certainly is not,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “It’s not clear why Microsoft continue to downplay this vulnerability, especially while it’s being actively exploited in the wild.”

Story via WIRED