Microsoft ‘Follina’ Office Vulnerability: How To Prevent It
Steven Burke, Jay Fitzgerald
Here are the steps Microsoft and MSP security stalwarts Huntress, ThreatLocker, Sophos and Blackpoint Cyber are recommending to MSPs to prevent the Follina zero-day vulnerability from wreaking havoc.
MSPs Rush To Close ‘Follina’ Office Vulnerability
MSPs are moving quickly to implement steps to prevent the Microsoft Office zero-day vulnerability referred to as Follina from being exploited by cybercriminals.
US itek, a Buffalo, N.Y.-based MSP, for example, is implementing a ringfencing update from security software provider ThreatLocker that blocks access to the Microsoft Diagnostics Tool (MSDT), which can be exploited by attackers.
“ThreatLocker is keeping its MSPs ahead of the curve by providing a template to secure new vulnerabilities like Follina within hours of those zero-day vulnerabilities being disclosed,” said Stinner. “Ringfencing and whitelisting have changed the game for us. We no longer have to spend hundreds of hours making changes and updates to every system that we manage to prevent a zero-day vulnerability. With ThreatLocker we have a framework that makes it easy to protect our customers.”
US itek has made ThreatLocker a mandatory requirement for customers, said Stinner. “We have ThreatLocker on every computer we manage so when there is a new exploit we just implement the new policy,” he said.
CNWR, a Toledo, Ohio, MSP, has moved swiftly to remove the Microsoft Diagnostics Tool with Kelvin Tegelaar’s Powershell snippet, said CNWR President Jason Slagle. He expects a Microsoft patch for the vulnerability to be released quickly which his team will implement.
News of the zero-day vulnerability in Microsoft Office first surfaced over the weekend, when Japanese security vender Nao Sec warned of the threat in a tweet.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt— nao_sec (@nao_sec) May 27, 2022
Among others, Huntress over the holiday weekend issued a “rapid response,” warning that there was no patch yet for the vulnerability and urging people to be “extra vigilant when opening up any attachments, particularly Word documents.”
By Monday, Microsoft confirmed the problem in a blog post, warning of potential dangers, offering extra guidance and urging MSPs and IT administrators to disable Microsoft Diagnostics Tool (MSDT) URL protocol.
In addition, Microsoft advised customers with Microsoft Defender Antivirus to turn-on cloud-delivered protection and automatic sample submission.
Kyle Hanslovan, the CEO of MSP threat researcher Huntress, says he considers ‘Follina,’ as the Microsoft zero-day vulnerability is now being called, a serious enough threat to immediately implement a suggested temporary fix and to warn employees not to open suspicious email attachments.
“This is going to allow hackers to get into your computer more easily if you open a document from somebody untrusted,” he said in an interview with CRN. “Even worse, they’re sometimes using people’s legitimate emails that they’ve already hacked to send an email that looks more trusted. That makes it even harder to identify.”
Microsoft’s Security Response Center, for its part, confirmed that the “remote code execution vulnerability” exists when MSDT is called using the URL protocol from an application such as Microsoft Word.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” said Microsoft. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Here are the steps Microsoft, Huntress and ThreatLocker recommend MSPs take to prevent Follina from being exploited by cybercriminals.