Microsoft's June 2022 Windows updates included one particularly major security fix: A critical zero-day flaw called “Follina,” which hackers have actively exploited.
This is one update that all Windows users will want to install as soon as they can: If successful in an attack, a hacker can use this vulnerability to view, change, and delete data, as well as create new Windows accounts in the software.
Some critics have called out Microsoft for the time they took to issue the patch, saying the software corporation should have taken action several years ago when the flaw was first disclosed in a 2020 academic paper.
The Follina Zero-Day Flaw
The exploitable flaw allows hackers to create a malicious Word document that ultimately gives the hacker undetectable control of the Microsoft Support Diagnostic Tool.
Here's how Microsoft describes the flaw in their announcement acknowledging the problem:
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Without Microsoft's latest patch, this zero-day vulnerability lets hackers infect all currently supported versions of Windows.
Critics Call Microsoft's Response Too Slow
Once a potentially exploitable software flaw is live, in many cases it's impossible to say if it has been discovered and used by a hacker. With the Follina flaw, though, evidence proves that hackers have exploited it, both by state-backed actors and by cybercriminals.
In one case, a Chinese hacking group used the bug in attacks aimed at the Tibetan diaspora, and in another instance, it was used in phishing attacks targeting both US and EU government agencies.
As a recent ArsTechnica article details, a description of the flaw was available to Microsoft since 2020, and researchers from Shadow Chaser Group said this April that they had reported to Microsoft an ongoing malicious spam campaign exploiting Follina.
However, despite multiple warnings, Microsoft didn't term Follina as a vulnerability until May 30. One it acknowledged the flaw, Microsoft immediately suggested multiple workarounds and issued its full patch two weeks later.
Hopefully, Microsoft moves forward from this public criticism with a renewed focus on keeping security tight. If not, we'll keep hearing about critical security flaws after they've been exploited and not before. For the typical Windows user, there's not much recourse aside from investing in antivirus software and — in this particular case — refraining from ever opening Word files from suspicious sources.