According to Ars Technica, researchers have warned Microsoft of a flaw in its Support Diagnostic Tool that hackers could exploit. Hackers could use malicious Word documents to take control of their targeted victims’ devices. Microsoft has issued some guidance on the matter, including temporary defense measures, but the flaw remains unpatched.
Estimated reading time: 2 minutes
The vulnerability in the Microsoft Support Diagnostic Tool is known as Follina and, if exploited, will allow the attacker complete remote control.
Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED.
The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a “zero-day,” or previously unknown vulnerability, but Microsoft has not classified it as such.
The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft’s main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.
Ars Technica
Be sure to check out Ars Technica for the full story. For now, let’s hope this exploit gets dealt with.
What do you think? Please share your thoughts on any of the social media pages listed below. You can also comment on our MeWe page by joining the MeWe social network.
