An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch

'An actively exploited Microsoft zero-day flaw still has no patch,' Wired wrote Friday (in an article they've designated as 'free for a limited time only.')

Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet 'The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows.'

Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that 'a remote, unauthenticated attacker could exploit this vulnerability,' known as Follina, 'to take control of an affected system.' But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday].

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a 'zero-day,' or previously unknown vulnerability, but Microsoft has not classified it as such. 'After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,' says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic....

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.
But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.

The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!)

Friday Microsoft went into the vulnerability's official CVE report and added this update.

'Microsoft is working on a resolution and will provide an update in an upcoming release.'

Read more of this story at Slashdot.