Exploitation of Microsoft Office vulnerability: Follina

Background / What has happened?

On 31 May 2022, Microsoft disclosed a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). This vulnerability, dubbed “Follina”, can be exploited by an attacker sending a URL to a vulnerable machine. Successful exploitation allows an attacker to install programs, view or change data, or create new accounts in line with the victim’s user permissions.

The ACSC is aware of active exploitation of the Follina vulnerability targeting Australian organisations.

Proof of Concept code to exploit the Follina vulnerability is available online and has been integrated into common exploitation frameworks and tools. Disabling Microsoft Office Macros does not prevent exploitation of this vulnerability.

Mitigation / How do I stay secure?

A patch is not currently available. Australian organisations who use Microsoft Office products should review their system configurations, and follow Microsoft’s guidance on implementing a workaround until a patch is available.

The ACSC also recommends:

• Corporate networks utilising Microsoft Defender for Endpoint should follow Microsoft’s advice on how to block all Office applications from creating child processes.
• Corporate networks utilising Group Policy should follow Microsoft’s advice on disabling Troubleshooting Wizards via the EnableDiagnostics registry value until a patch is available.

Microsoft Office users should continue to monitor Microsoft’s website for updates and future vulnerabilities.

Assistance / Where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).

Source: https://www.cyber.gov.au/acsc/view-all-content/alerts/exploitation-microsoft-office-vulnerability-follina