We are now well into week two of a significant vulnerability in all versions of Microsoft Office which allows attackers to use the preview function of Office apps to execute malicious code on Windows PCs. Though Microsoft finally admitted to it being a problem in their CVE posting last Tuesday after knowing about it since early April, they have yet to actually issue any updates to fix the problem. For the moment, we still only have a single way to mitigate this problem, by manually removing Office’s ability to use the app that contains the vulnerability.
What this means for you
What’s unnerving about this lack of urgency on Microsoft’s part is that this vulnerability – dubbed Follina – isn’t obscure or hard to exploit. It’s in the wild now, as reported and cross confirmed by several security firms, including Proofpoint (whose services we use to protect our clients). At the moment, it’s not clear when (or if!) Microsoft will address this weakness. The danger of Follina is in its ability to be exploited covertly to exfiltrate data. Microsoft Office is pretty much a fixture of every business and government entity on the planet, and the fix is not something your average office worker is going to be able to apply, nor confirm that it is in fact effective. Typical virus protection may not detect an attacker exploiting Follina as the attackers can use existing apps and protocols built into Windows to do their exfiltration, and once they have a better understanding of what access and data their compromised machine contains, they can focus their efforts on establishing additional footholds from within, whether in an attempt to ransomware a company, exfiltrate valuable information, or undermine a governmental organization. For now, all we can do is hope that Microsoft realizes how bad of a problem they have on their hands and actually issue a fix. In the meantime, you can contact C2 to make sure the interim fix gets applied to your Windows workstations, as well as ensuring your critical data is backed up in the event you are attacked.