As we previously reported, a flaw in Microsoft’s Support Diagnostic Tool could be exploited using malicious word documents to take over a user’s device. This vulnerability, labeled “Follina”, was active without a foreseeable fix. Microsoft originally did not announce whether or not a patch was coming, but did acknowledge that the flaw was being exploited by attackers in the wild.

Since the news about Follina broke, Microsoft has finally addressed the vulnerability and released fixes for the Windows zero-day vulnerability, along with 55 other flaws.

Follina allowed attackers to exploit the flaw by means of a specially crafted Word document that would download and load a malicious HTML file through Word’s remote template feature. The HTML file ultimately permits the attacker to load and execute PowerShell code within Windows.

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” Microsoft said in an advisory. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

A crucial aspect of Follina is that exploiting the flaw does not require the use of macros, and doesn’t need them enabled to trigger the attack.

Story via The Hacker News