Microsoft Finally Patches a Major Windows Security Bug

Without the new patch, this zero-day vulnerability lets hackers infect all currently supported versions of Windows.
Adam Rowe

Microsoft's June 2022 Windows updates included one particularly major security fix: A critical zero-day flaw called “Follina,” which hackers have actively exploited.

This is one update that all Windows users will want to install as soon as they can: If successful in an attack, a hacker can use this vulnerability to view, change, and delete data, as well as create new Windows accounts in the software.

Some critics have called out Microsoft for the time they took to issue the patch, saying the software corporation should have taken action several years ago when the flaw was first disclosed in a 2020 academic paper.

The Follina Zero-Day Flaw

The exploitable flaw allows hackers to create a malicious Word document that ultimately gives the hacker undetectable control of the Microsoft Support Diagnostic Tool.

Here's how Microsoft describes the flaw in their announcement acknowledging the problem:

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

Without Microsoft's latest patch, this zero-day vulnerability lets hackers infect all currently supported versions of Windows.

Critics Call Microsoft's Response Too Slow

Once a potentially exploitable software flaw is live, in many cases it's impossible to say if it has been discovered and used by a hacker. With the Follina flaw, though, evidence proves that hackers have exploited it, both by state-backed actors and by cybercriminals.

In one case, a Chinese hacking group used the bug in attacks aimed at the Tibetan diaspora, and in another instance, it was used in phishing attacks targeting both US and EU government agencies.

As a recent ArsTechnica article details, a description of the flaw was available to Microsoft since 2020, and researchers from Shadow Chaser Group said this April that they had reported to Microsoft an ongoing malicious spam campaign exploiting Follina.

However, despite multiple warnings, Microsoft didn't term Follina as a vulnerability until May 30. One it acknowledged the flaw, Microsoft immediately suggested multiple workarounds and issued its full patch two weeks later.

Hopefully, Microsoft moves forward from this public criticism with a renewed focus on keeping security tight. If not, we'll keep hearing about critical security flaws after they've been exploited and not before. For the typical Windows user, there's not much recourse aside from investing in antivirus software and — in this particular case — refraining from ever opening Word files from suspicious sources.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He's also a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and he has an art history book on 1970s sci-fi coming out from Abrams Books in 2022. In the meantime, he's hunting own the latest news on VPNs, POS systems, and the future of tech.

Explore More See all news
close Step up your business video conferencing with GoToMeeting, our top rated conferencing app – try it free for 14 days Try GoToMeeting Free