Understanding the Windows Follina Exploit

Open lock with various computer keys on a desk

A nasty Windows exploit popped up in June 2022 that allowed remote attackers to take over your computer with little input needed from your end. While this has since been patched by Microsoft, it’s worth going over to see how this worked and what we can learn from it for the next inevitable exploit.

Let’s look over this issue, named Follina, and learn the facts of the attack.

What Is the Follina Exploit?

On June 1, 2022, an opening for attack in Windows, dubbed Follina, was publicized. Like many other high-profile security scares, this was technically a zero-day attack (an important security term), meaning that the software owner isn’t aware of it until it’s released in the wild. However, while white-hat hackers reported this issue to Microsoft in the recent past, the company didn’t recognize it as a risk until then.

This hack exploited a feature in Microsoft Word known as remote templates. When working with a document that uses a template, Word will reach out to the remote computer or server that created the template when you open it on your machine.

Using this, an attacker can host malicious code on their server, which runs as soon as you open an infected document. In turn, that code was able to exploit the Diagnostic Tool in Windows (normally used by Microsoft Support to help you via remote access) to run code that lets them take control of a machine.

This attack wasn’t limited to a particular Windows version or edition of Word/Office. Every release of Microsoft Office from 2013 through 2021 was vulnerable, as was Microsoft 365. This attack was also possible on Windows 7 through Windows 11.

What made Follina even more dangerous is that you didn’t even have to open the infected Word document to run the exploit. Word retrieves templates when you preview them, so opening the Preview Pane in File Explorer to see the malicious document would also kick off the process.

While Office was used to run this attack, that software isn’t necessarily tied to it. The core of the exploit was using the Microsoft Support Diagnostic Tool to run malicious code that gives an attacker control of your computer.

The Follina Fix

Unfortunately, Microsoft didn’t act quickly to patch this issue. While news about the exploit spread on June 1, Microsoft didn’t issue updates to fix it until June 14.

In the meantime, the only defenses were Registry tweaks that are not ideal, and cautioning employees to keep an eye out for unsolicited Office documents. Since this wasn’t related to an Office macro, disabling macros or using Protected View wasn’t enough to block the exploit.

That’s why having third-party protection that goes beyond a standard antivirus is so important. Bitdefender’s post on Follina explained that it has several layers of protection to defend against attacks like this, including checking for exploits that use malicious HTML and blocking remote connections to malicious sites. Similarly, our customers protected with CrowdStrike didn’t have to wait for Microsoft’s patch to protect themselves.

Learning From Follina

The lessons from this attack are similar to ones that have happened over the past few years, but they bear repeating:

  • Don’t trust any files if you aren’t 100% certain of the origin.
  • Office files might seem innocent, but they are used for many exploits. Prefer to share files with your colleagues using company cloud storage instead of email, if possible, to reduce the chance of opening something dangerous.
  • Standard antivirus isn’t enough to keep your systems safe in today’s environment.
  • While updating your machines is vital, sometimes security patches take a while to arrive.

Thankfully, Follina is in the rearview mirror now, but it won’t be the last dangerous exploit. Be vigilant to keep yourself and your team safe; following our vital security practices for everyone will help.

Leave a Reply

Your email address will not be published.