Microsoft Office users are encouraged to update the software as soon as possible to protect their systems from a Chinese hack vulnerability. While Microsoft has known about the threat since late last month, it only initially offered workarounds.
Microsoft Office Threat
Details of the Microsoft Office hack vulnerability were initially shared on Twitter. The TA413 cybercriminal group inserted the vulnerability into Word documents, then made them appear to originate from the Tibetan government in exile in India. TA413 is assumed to be linked to the Chinese government.
Known to be an “advanced persistent threat,” they’ve targeted the exiled community before. A 2019 Citizen Lab report showed Tibetan politicians as the subjects of spyware attacks through browsers and WhatsApp. A Firefox extension was used to spy on the Tibetan political figures in at least one instance.
Follina, the new Microsoft Office vulnerability, was made public on May 27. Nao Sec security researchers tweeted about results from the malware scanning website VirusTotal. The tweet explained that the malicious code that was discovered traveled via Word docs, then sent commands through PowerShell.
Nao Sec tweeted, “Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” adding a VirusTotal link.
Researcher Kevin Beaumont included more details in a blog post. He described that Follina allowed the malicious Word doc to remotely load HTML files, then used MSDT to carry out the PowerShell commands.
Microsoft responded in a blog post that the CVE-2022-30190 vulnerability (Follina) had the power to install programs, access data, modify or delete data, and create new user accounts.
It’s assumed that all users of Microsoft Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365 are at risk due to the Follina vulnerability.
Microsoft Issues Security Update
Microsoft issued workarounds initially, and the U.S. Cybersecurity and Infrastructure Security Agency recommended that system administrators utilize the workarounds in lieu of a solution.
On June 15, Microsoft issued a security update to close the loophole. It urged users of Windows 7 and up to update right away. Microsoft urged Windows 10 users to install update KB5014699 and Windows 11 users to install update KB5014697.
“Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability,” wrote Microsoft. “Customers whose systems are configured to receive automatic updates do not need to take any further action.”
Learn what to do if Windows Security isn’t opening.
Image credit: Unsplash
Our latest tutorials delivered straight to your inbox