Detected a serious zero-day vulnerability in Microsoft Office, click the document file and it will stick

The newly discovered vulnerability is called Follina and currently there is no official patch from Microsoft.

Developers have just announced a critical zero-day vulnerability called Follina in the Microsoft Office suite of office tools. Successfully exploiting this vulnerability, an attacker could use a malicious Word document to trigger code execution on the victim's computer.

This vulnerability was first disclosed on May 27 by the Twitter account @nao_sec.

"The malicious document uses Word's remote template feature to retrieve an HTML file from a remote web server then uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell commands," the researcher said. Researcher Kevin Beaumont explains. "It's not supposed to be."

Beaumont said hackers can exploit this vulnerability even if the macro features have been disabled on Office applications. Office 2013, 2016, 2019, 2021 versions with Microsoft 365 license on both Windows 10 and Windows 11 are vulnerable to this vulnerability.

Kyle Hanslovan, CEO of security firm Huntress Labs, shared a video showing Follina through its ease of exploitation.

Detected a serious zero-day vulnerability in Microsoft Office, click the document file and it will stick Picture 1Detected a serious zero-day vulnerability in Microsoft Office, click the document file and it will stick Picture 1

Everything the researchers posted shows that this vulnerability allows hackers to execute code on the victim's machine with just one click. In addition, as Hanslovan demonstrated, hackers can execute code even if the user performs a preview of the malicious document they receive. It's all about the support tools (ms-msdt) and system administration tools (PowerShell) that come pre-installed on Windows.

Twitter user @crazyman_army said he reported the vulnerability to Microsoft on April 12 but received a response on April 21 that it was not a security issue.

Temporary fix

Currently, because Microsoft has not recognized the vulnerability, there is no official fix from Microsoft. To solve the problem you can perform the following methods:

  1. Turn off Preview mode in Windows Explorer: Open Windows Explorer, then go to the View tab and select Hide Preview Pane.
  2. Download the file unregister-msdt.reg from GitHub then double click on the file to apply. If the User Account Control window appears, select Yes.
  3. Update anti-virus software and check files before opening with VirusTotal.
  4. If you receive a Word, Excel or PPT file, try opening it with Google Docs, Sheets or Slides.

TipsMake.com will continue to update as soon as there is information or an official patch of this Follina vulnerability. 

3.5 ★ | 2 Vote