Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Microsoft Security

An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch (wired.com) 38

"An actively exploited Microsoft zero-day flaw still has no patch," Wired wrote Friday (in an article they've designated as "free for a limited time only.")

Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet "The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows." Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that "a remote, unauthenticated attacker could exploit this vulnerability," known as Follina, "to take control of an affected system." But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday].

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it," says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic....

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.

The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!)

Friday Microsoft went into the vulnerability's official CVE report and added this update.

"Microsoft is working on a resolution and will provide an update in an upcoming release."
This discussion has been archived. No new comments can be posted.

An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch

Comments Filter:
  • They have crappy engineering, crappy leadership and do not care about their customers one bit as long as the dollars keep rolling in.

    • Re: (Score:3, Funny)

      Eh ... they care about maintaining the appearance that their shitting on home customers (treating them as beta-testers for corporate customers) is accomplishing anything useful. That's kind of like caring about some of their customers.

    • They have crappy engineering, crappy leadership and do not care about their customers one bit as long as the dollars keep rolling in.

      And yet, Microsoft is now doubling salaries and increasing stock compenstation [newsweek.com] to retain these same crappy engineers because, according to their crappy leadership:

      "Time and time again, we see that our talent is in high demand because of the amazing work that you do,"

      • by gweihir ( 88907 )

        A scam operator needs to keep up appearances. Otherwise the house of cards collapses.

    • by mspohr ( 589790 )

      They started with bad design and followed with sloppy implementation and have been trying to patch the steaming pile of code ever since.
      It just won't ever be fixed.
      I just don't know why people keep buying it. They must be really stupid.

      • by gweihir ( 88907 )

        They started with bad design and followed with sloppy implementation and have been trying to patch the steaming pile of code ever since.
        It just won't ever be fixed.

        At the current complexity they have reached and failed to keep under control, it is probably impossible to fix it. That is not hyperbole, that is how engineering works: At some level of complexity you lose control and you cannot get it back anymore. In the early stages you can often still fix things by drastic simplification, but that that ship has sailed long ago for the products MS makes. That is also why all good engineers respect KISS above everything else. MS never has understood KISS and hence consist

    • by goslackware ( 821522 ) on Sunday June 05, 2022 @06:30PM (#62595730)

      Tldr, run the below workaround:
      reg delete HKEY_CLASSES_ROOT\ms-msdt /f

      21 replies and not a single mention of the simple way to mitigate the issue...
      Note, if you disable the msdt url protocol you might have issues with Microsoft diagnostic and troubleshooting wizards, which are rarely helpful anyways.

      From Microsoft:
      ---
      Workarounds
      To disable the MSDT URL Protocol

      Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

      Run Command Prompt as Administrator.
      To back up the registry key, execute the command âoereg export HKEY_CLASSES_ROOT\ms-msdt filenameâoe
      Execute the command âoereg delete HKEY_CLASSES_ROOT\ms-msdt /fâ.
      How to undo the workaround

      Run Command Prompt as Administrator.
      To restore the registry key, execute the command âoereg import filenameâ

      • Has anyone ever been helped by those wizards?

        To me it also seems like Microsoft is dumbing down the wrong things. The control panel was never a problem for me, but the settings panels now in later versions are just horrible. You have to scroll a lot up and down to do the things you want. The list of installed programs no longer offers version info in settings but it's there in the old control panel tool etc. So in the future it may be necessary to run command line tools to see and do anything useful as an I

      • by gweihir ( 88907 )

        This has been documented everywhere. Why would anybody mention it again? The point is this is a change many people will not do because they fear they might mess it up or be unable to reverse it. MS products have this way of breaking in surprising and obscure ways and the usual way to "fix" them is a re-installation. It does not get much more crappy than this regarding software maintainability. Hence people are afraid to touch anything and the only real way to fix this is an update. Which MS is dragging thei

      • Tldr, run the below workaround: reg delete HKEY_CLASSES_ROOT\ms-msdt /f

        21 replies and not a single mention of the simple way to mitigate the issue...

        A workaround, yes.

        6 weeks after Microsoft was notified, I rather expect an official patch coming through Windows Update.

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday June 05, 2022 @12:58PM (#62595036) Homepage Journal

    ...since Word 5.1 for Macintosh.

    Trying to shoehorn all kinds of DTP and scripting functionality into a Word Processor hasn't gone well at all for Mickeysoft. Even they don't know how the software works any more, per their own specs.

    • by gweihir ( 88907 )

      Even they don't know how the software works any more, per their own specs.

      Available evidence seems to strongly support that statement, yes. A sign of a product that urgently needs to be thrown away because it is broken and cannot be fixed anymore.

    • ...since Word 5.1 for Macintosh.

      That's where you're wrong, kiddo. Things have gone downhill since WordPerfect 5.1 for DOS. That was and still is the ultimate word processing program. The ease of use has yet to be matched.

      Once Microsoft worked to kill off WordPerfect, it's been downhill since.

      • Things have gone downhill since WordPerfect 5.1 for DOS. That was and still is the ultimate word processing program. The ease of use has yet to be matched.

        I prefer WYSIWYG and menus to having to know four functions for every fkey, thanks. My keyboard isn't template compatible.

        • Things have gone downhill since WordPerfect 5.1 for DOS. That was and still is the ultimate word processing program. The ease of use has yet to be matched.

          I prefer WYSIWYG and menus to having to know four functions for every fkey, thanks. My keyboard isn't template compatible.

          WP 5.1 was WYSIWYG. You could literally, in the truest sense of the word, see how your document would look when you printed it. In fact, one of its greatest strengths was being able to see behind the scenes at the formatting codes. Once activated, reveal codes showed you every bold, indent, tab and whatnot. If you couldn't figure out why a word or words weren't doing what you thought they should, reveal codes and edit what you needed. It was absolute granular control.

          Now compare to Word where you have t

          • I use any word processor handy when I want to write a letter, and I use a DTP product for anything more complicated, either Scribus or InDesign depending on the circumstances. But I grew up with a parent who was a graphic artist, and I cut my teeth on Aldus Pagemaker on a Macintosh IIci back in the day, so it just seems natural to me that if I want layout, I should use something with layout. I might write the copy in OO.o Writer or even Word, though the latter is quite unlikely. I don't have much reason to

    • Trying to shoehorn all kinds of DTP and scripting functionality into a Word Processor hasn't gone well at all for Mickeysoft.

      Hasn't it? *Checks Microsoft's market share*. No it really has gone very well for them.

      • Hasn't it? *Checks Microsoft's market share*. No it really has gone very well for them.

        Word hasn't been successful because it's been the best. It's been successful because Microsoft willfully exploited an effective monopoly position [justice.gov], as determined by the USDoJ. But that was a watershed moment, where AG John Ashcroft stated that it was not in the nation's best interest to hold them accountable for their actions. In short, we are no longer enforcing antitrust law in this country, no matter how guilty the parties involved. The only thing that matters now is whether you've greased the right palms

        • Word hasn't been successful because it's been the best.

          No one cares why, the question was if something has or hasn't gone well for them. $15.6bn. That's Q2 2022's revenue from just their Productivity division which is almost entirely due to Office, and it's the only point relevant to the discussion. Clearly they have not been negatively affected.

  • a power house sales and marketing company whose products just happen to involve technology. Mediocre technology at best. Using any Microsoft products in your business IT infrastructure is a bad plan.
  • Any one who enables macro execution on MS-Office docs by default is asking for trouble. Most professional IT set ups disable macros on all shared, emailed, not-locally-created documents. Most private/personal users should disable all macros in MS-Office files.

    99.99% of the MS-Office users would not recognize a macro even if it stops on the street and slaps on their face.

    We know MS has added too many features and increased vulnerability surface a lot. Prudent thing to do is to turn off all the features

    • by gweihir ( 88907 )

      Au crontraire. MS bears all responsibility for this mess. Unless you want to blame the clueless that made an incompetent tech company like MS into more than a historical footnote by buying its broken products?

      • I think the real problem is and always will be that a lot of business people do not know anything about technology. They think of computers and software as appliances and that's just not the case. Sure, some are done well enough that they "just work" but most software has to go beyond appliance level and that adds complexity.

        People unknowingly bought into a technical solution without completely understanding the position they were putting themselves. In some cases, perhaps the pain of becoming an income str

      • My point is, sensible people do not have the market clout to force MS to do the right thing. Much like a Republican/Democrat stuck in a Blue/Red state, there are things that you can't change. Need to put up with the stuff one does not like and try to make the best of the situation. It sucks, no doubt. But MS does not care. Its user base does not care. So we need to do what it takes to protect ourselves.
    • This specific flaw did work even with macros disabled.

  • This is why you only run Microsoft software that is at least 14 years old. Windows 7 and Office 2007 still work just fine, and even if vulnerabilities exist in these the hackers don't care because they're busy hacking the latest and greatest. Of course I jest, but just think about that for a moment.
  • A zero-day exploit is one that attacks a vulnerability that is not yet known by the maker of the software being exploited. This vulnerability has been known for a while now.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    • It's actually supposed to be "zero days since discovery". The point being that the more days that pass, the more people who will find out about it, and thus, less valuable.

      The term stems from software priacy in the BBS days of the 80's. There used to be different places to upload games based on how old they were labeled like "0 day", "1 day", "5-10 day", etc.

      I never really understood the obsession so many had with 0 day warez. Like it being new made it better, and tomorrow it'd be less useful.

  • there are a couple of easy and very low impact (for most people) workarounds
  • That's probably why. This article is nonsense, Follina is a non-event

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...