Zero-day vulnerability in Microsoft Office Pro Plus, Office 2013, Office 2016, and Office 2021 allows remote network hacking with just a single click

A few days ago, the security researcher known as “nao_sec” reported the detection of a file specially crafted Word document to exploit a zero-day vulnerability in Microsoft Office that would allow the execution of arbitrary code just when opening a malicious file.

This malware, loaded from Belarus to the VirusTotal platform, was analyzed by expert Kevin Beaumont, who reports that this document uses Word’s remote template function to retrieve an HTML file from a remote web server that uses MSProtocol ms-msdt to load code and execute PowerShell code.

Beaumont mentions that the code runs regardless of whether macros are disabled on the target system, not to mention that Microsoft Defender can’t seem to prevent the attack: “Although the protected view is activated if you change the document to RTF format, the malicious code will run without even opening the document.”  

The flaw was dubbed “Follina,” as a nod to the malicious file referencing 0438, the area code of a small Italian town. The researcher, and other members of the cybersecurity community, confirmed that the known exploit allows remote code to run on some versions of Windows and Office, including Office Pro Plus, Office 2013, Office 2016, and Office 2021.

The exploit doesn’t appear to work in recent versions of Office and in Windows Insider deployments, which could mean Microsoft is already working to address this issue. Beaumont also believes that the exploit could work on these versions with some modifications.

A hacking group hosted a web domain on Namecheap to use as a C&C server; the hosting company quickly shut down this website. The cybersecurity community has proposed some mitigation mechanisms, so a wave of active exploitation is very unlikely.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.