Site icon TechNewsBoy.com

Microsoft patches Follina threat in latest Patch Tuesday release

Microsoft patches Follina threat in latest Patch Tuesday release

Microsoft has just pushed its June 2022 cumulative update for Windows, including a patch for the dreaded Follina vulnerability.

“Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action,” Microsoft said in its advisory.

Discovered by cybersecurity expert Kevin Beaumont, and dubbed “Follina”, the flaw leverages a Windows utility called msdt.exe, designed to run different troubleshooter packs on Windows. The researcher found that when the victim downloads a weaponized Word file, they don’t even need to run it, previewing it in Windows Explorer is enough for the tool to be abused (it has to be an RTF file, though). 

Follina abused in the wild

By abusing this utility, the attackers are able to tell the target endpoint (opens in new tab) to call an HTML file, from a remote URL. The attackers have chosen the xmlformats[.]com domain, probably trying to hide behind the similar-looking, albeit legitimate, openxmlformats.org domain used in most Word documents.

The HTML file holds plenty of “junk”, which obfuscates its true purpose – a script that downloads and executes a payload. 

Microsoft’s fix doesn’t prevent Office from loading Windows protocol URI handlers automatically and without user interaction, but it does block PowerShell injection, thus rendering the attack useless.

As soon as it was discovered, researchers started spotting the flaw being abused in the wild. Among its earliest adopters, allegedly, were Chinese state-sponsored threat actors, mounting cyberattacks (opens in new tab) against the international Tibetan community. 

“TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique,” cybersecurity researchers from Proofpoint said two weeks ago. The same company also found Follina being abused by another threat actor, TA570, to distribute Qbot, while NCC Group found it being further abused by Black Basta, which is a known ransomware group.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.
Exit mobile version