Microsoft Office zero-day vulnerability can be used to attack your PC — what to do now
New zero-day uses weaponized Word files to execute code remotely
A new zero-day vulnerability has been discovered in Microsoft Office that can be exploited by cybercriminals to distribute malware and other viruses on Windows PCs.
The bug was discovered by cybersecurity expert Kevin Beaumont and has since been given the name “Follina” It’s now being tracked as CVE-2022-30190 and Microsoft describes it as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability according to BleepingComputer.
Follina is particularly concerning, as this zero-day vulnerability affects all versions of Windows that are still receiving security updates. In a recent blog post, the Microsoft Security Response Center provided further details on the bug and how it can be used to attack systems running Windows 7 all the way up to Windows 11, saying:
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Exploiting Follina using weaponized Word documents
As with any new zero-day, Follina is already being exploited in the wild and security researchers from Proofpoint have discovered that the Chinese state-sponsored threat actor TA413 has been using the vulnerability to target the international Tibetan community.
In a tweet, the company’s researchers explained that TA413 is using malicious URLs to deliver ZIP files that contain weaponized Word documents that exploit Follina. At the same time, MalwareHunterTeam also found Word files with Chinese filenames that are currently being used to install infostealers.
It’s worth noting that attacks exploiting Follina were spotted over a month ago when sextortion threats and invitations to do an interview with Sputnik radio were both used as lures according to BleepingComputer.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Microsoft has a workaround but there’s also an unofficial patch
As it stands now, Microsoft has not yet issued any security updates to address the Follina zero-day vulnerability. However, the software giant has come up with a workaround to help keep Windows PCs protected in the meantime.
The workaround involves disabling the MSDT URL protocol on Windows devices — you’ll first need to run Command Prompt as Administrator to start the process. From here, you need to use the command reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt.reg to back up your system’s registry key before executing the command reg delete HKEY_CLASSES_ROOT\ms-msdt /f.
If you do decide to go this route, you’ll need to undo the workaround by launching an elevated command prompt and executing the command reg import ms-msdt.reg once Microsoft releases an official patch.
Speaking of patches, opatch has also created free and unofficial micropatches for Windows 11, Windows 10, Windows 7 and Windows Server 2008. While we don’t recommend installing unofficial patches, those willing to take the risk will need to first register for an opatch account before installing the opatch agent. Once launched, the agent will automatically download and apply the patch on your Windows PC.
Now that cybercriminals and even state-sponsored hackers are actively exploiting Follina in their attacks, Microsoft will likely release an official patch soon. In the meantime though, the company’s workaround should be enough for most people to protect their PCs.
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.