Microsoft recently confirmed a new zero-day critical vulnerability dubbed Follina, affecting the MS Office application. The threat actors who exploit the newly discovered flaw can utilise the privileges of MS Office to run arbitrary code and install programs, modify or delete data, or create new user accounts within the allowed permission rights.
To date, there is no available fix for the Follina zero-day. Even so, managed service providers (MSP) and IT admins are advised to disable the Microsoft Diagnostics Tool (MSDT) URL protocol as a preventive measure to protect networks from the flaw.
Users with the MS Defender Antivirus are also advised to enable cloud-delivered protection to let AI and machine learning quickly detect and block new and unknown threats.
The lack of available patches for the Follina zero-day impelled security researchers to urge users to be extra cautious in interacting with MS Word documents.
Threat actors are expected to leverage the vulnerability by weaponising it in initial access attacks, which they can do by distributing phishing emails that attach a malicious code. Experts anticipate these exploitation attempts in the coming days.
Moreover, security researchers believe that since there is no patch yet for the flaw, hackers can eventually upgrade their tactics to escalate their privileges and be fully in control of a compromised environment.
As for now, it is also highly recommended for MSPs to activate a rule in MS Defender’s Attack Surface Reduction, “Block all Office applications from creating child processes,” that could help block the Follina zero-day from exploitations. On the other hand, they could also remove MS Diagnostics Tool’s file type association.
These temporary mitigations, as experts believe, are all messy workarounds until a final patch has been made available for the newly discovered flaw. One involves modifying the Windows Registry settings, which could brick an entire machine if incorrectly configured. Furthermore, they believe that MSPs would face a massive security threat until a patch is released.
Nonetheless, analysts explained that MSPs having access to good processes and backups could be a key to avoiding ransomware attacks since threat actors can only abuse the zero-day flaw if the MSPs are not employing whitelisting in their processes. Still, the flaw’s patch release is being looked forward to.
