A .doc File Could Put Your Windows Computer at Risk

Microsoft hasn’t issued a patch, but there’s an unofficial fix

  • A novel Windows zero-click attack that can compromise machines without any user action has been observed in the wild.
  • Microsoft has acknowledged the issue and put out remediation steps, but the bug doesn’t have an official patch yet.
  • Security researchers see the bug being actively exploited and expect more attacks in the near future.
A mechanical bug in a simulated web of light.

John M Lund Photography Inc / Getty Images

Hackers have found a way to break into a Windows computer simply by sending a specially crafted malicious file.

Dubbed Follina, the bug is quite serious as it could allow hackers to take complete control over any Windows system just by sending a modified Microsoft Office document. In some cases, people don't even have to open the file, as the Windows file preview is enough to trigger the nasty bits. Notably, Microsoft has acknowledged the bug but hasn't yet released an official fix to nullify it.

"This vulnerability should still be at the top of the list of things to worry about," Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute, wrote in the SANS weekly newsletter. "While anti-malware vendors are quickly updating signatures, they are inadequate to protect against the wide range of exploits that may take advantage of this vulnerability."

Preview to Compromise

The threat was first spotted by Japanese security researchers towards the end of May courtesy of a malicious Word document. 

Security researcher Kevin Beaumont unfolded the vulnerability and discovered the .doc file loaded a spurious piece of HTML code, which then calls on the Microsoft Diagnostics Tool to execute a PowerShell code, which in turn runs the malicious payload.

Windows uses the Microsoft Diagnostic Tool (MSDT) to collect and send diagnostic information when something goes wrong with the operating system. Apps call the tool using the special MSDT URL protocol (ms-msdt://), which Follina aims to exploit.

"This exploit is a mountain of exploits stacked on top of each other. However, it is unfortunately easy to re-create and cannot be detected by anti-virus," wrote security advocates on Twitter.

In an email discussion with Lifewire, Nikolas Cemerikic, Cyber Security Engineer at Immersive Labs, explained that Follina is unique. It doesn't take the usual route of misusing office macros, which is why it can even wreak havoc for people who have disabled macros.

"For many years, email phishing, combined with malicious Word documents, has been the most effective way to gain access to a user's system," pointed out Cemerikic. "The risk now is heightened by the Follina attack, as the victim only needs to open a document, or in some cases, view a preview of the document via the Windows preview pane, while removing the need to approve security warnings."

Microsoft was quick to put out some remediation steps to mitigate the risks posed by Follina. "The mitigations that are available are messy workarounds that the industry hasn't had time to study the impact of," wrote John Hammond, a senior security researcher at Huntress, in the company's deep dive blog on the bug. "They involve changing settings in the Windows Registry, which is serious business because an incorrect Registry entry could brick your machine."

This vulnerability should still be at the top of the list of things to worry about.

While Microsoft hasn't released an official patch to fix the issue, there's an unofficial one from the 0patch project.

Talking through the fix, Mitja Kolsek, co-founder of the 0patch project, wrote that while it'd be simple to disable the Microsoft Diagnostic tool altogether or to codify Microsoft's remediation steps into a patch, the project went for a different approach as both these approaches would negatively impact the performance of the Diagnostic Tool. 

It’s Just Begun

Cybersecurity vendors have already started seeing the flaw being actively exploited against some high-profile targets in the US and Europe.

Although all current exploits in the wild seem to use Office documents, Follina can be abused through other attack vectors, explained Cemerikic. 

Explaining why he believed that Follina isn't going to go away any time soon, Cemerikic said that, as with any major exploit or vulnerability, hackers eventually start developing and releasing tools to aid exploitation efforts. This essentially turns these rather complex exploits into point-and-click attacks.  

Closeup on someone's hand operating a computer mouse, with the computer and speakers in the background.

EvgeniyShkolenko / Getty Images

"Attackers no longer need to understand how the attack works or chain together a series of vulnerabilities, all they need to do is click 'run' on a tool," said Cemerikic. 

He argued that this is exactly what the cybersecurity community has witnessed over the past week, with a very serious exploit being put into the hands of less capable or uneducated attackers and script kiddies. 

"As time progresses, the more these tools become available, the more Follina will be used as a method of malware delivery to compromise target machines," warned Cemerikic, urging people to patch their Windows machines without delay.

Was this page helpful?