Microsoft Office Zero-Day Vulnerability: What You Need to Know

On May 30, 2022, security researchers identified a new zero-day flaw in Microsoft Office that could be used to run arbitrary code execution (ACE) on Windows systems. Dubbed “Follina” because the zero day code references 0438 – the area code of Follina in Italy – the flaw impacts all Windows versions still receiving security updates.

What happened?

Japanese security vendor Nao Sec uncovered a Word document that was uploaded to VirusTotal from an IP address in Belarus. This document contained malicious code leveraging Word’s external link to retrieve an HTML file from a server, which then used the ‘ms-msdt’ scheme to run a malicious payload. MSDT, or Microsoft Diagnostic Support Tool, is an application that helps troubleshoot and collect diagnostic data for analysis. Tracked as CVE-2022-30190, the vulnerability has wide implications given the broad usage of Microsoft Office programs.

How do I know if I’m vulnerable?

Chances are, if you have Microsoft Office, you’re vulnerable. Specific versions affected include: 2021, 2019, 2016 and 2013.

What is Nuspire doing?

Nuspire is actively threat hunting internally and within client environments for indications of compromise. Additionally, Nuspire is patching against this threat.

What should I do?

Nuspire recommends you take the following actions:

• Apply patches as provided by Microsoft on May 30, 2022. Microsoft’s bulletin regarding these patches can be found here.
• If unable to apply patches, consider applying the workaround provided by Microsoft found here.