back to article Zero-day vuln in Microsoft Office: 'Follina' will work even when macros are disabled

Infosec researchers have idenitied a zero-day code execution vulnerability in Microsoft's ubiquitous Office software. Dubbed "Follina", the vulnerability has been floating around for a while (cybersecurity researcher Kevin Beaumont traced it back to a report made to Microsoft on April 12) and uses Office functionality to …

  1. Steve Davies 3 Silver badge
    Boffin

    Just in time for...

    Mega-super-giant Patch Tuesday.

    Or...

    maybe not. We shall have to wait and see how long it takes for MS to close this huge hole.

  2. Clausewitz4.0
    Devil

    Partying like 1999

    This looks like 1999s-era vulnerability.

    All brace for impact.

  3. redpawn

    Clay Tablets

    seldom have this issue. I'm headed back to my yurt now.

    1. Yet Another Anonymous coward Silver badge

      Re: Clay Tablets

      Any news of a vulnerability in vi+Latex yet ?

      1. Michael Wojcik Silver badge

        Re: Clay Tablets

        vi: modeline vulnerabilities. See for example this summary of modeline vulnerabilities in vim. I recall discussions of modeline vulnerabilities in classic vi from comp.unix.security circa 1990.

        LaTeX: I don't offhand recall any published vulnerabilites for LaTeX2e itself, but TeX has always been vulnerable to various filesystem-access attacks, and assorted TeX implementations and backends such as MikTeX and pdfTeX have had them. Web-based LaTeX processors have had scads. (And, of course, if you're targeting PDF for output ... well, PDF, y'know? There are probably vulnerabilities in dvi implementations too.)

        Mind you, I'd much rather use vim and LaTeX, or LyX, to write documents than Word, which is horrible. But the LaTeX toolchains are very complicated and expecting them to be free of vulnerabilities is naive. Better than MS Office, sure, but nothing's perfect.

    2. Kevin McMurtrie Silver badge
      Coat

      Re: Clay Tablets

      Don't mind the dust on this very heavy tablet. Just take it indoors and give it a good brushing. I'll wait outside your yurt while you read it.

      I got a Russian phishing e-mail today and, as far as I can tell, somebody forgot to put the payload in it. It was disappointing to have read this article and then find nothing but a messenger contact in all the Word docs. (No, I didn't use Word to check it. Just unzip and cat.)

  4. jeff_w87

    MS says it's not a problem, but....

    Obviously it is. Same for the really old version of log4j that ships with SQL server - MS says it's not a problem, but it is as well. Wish we could all dump all the MS "insecure by default" OS and Applications. Any Government or Defense Department on this planet should ban MS software from running on their networks, especially if it's a connected system.

    1. Flak
      Coat

      ... a feature!

      'nough said.

  5. Dan 55 Silver badge
    Happy

    Fix already available

    Download patch from www.libreoffice.org.

  6. Peter2 Silver badge

    And so for those of us who actually have to manage sizable desktop estates, eyeing up the options in the admx extensions to extend group policy to cover office, this option stands out:-

    https://admx.help/?Category=Office2016&Policy=word16.Office.Microsoft.Policies.Windows::L_WebPages

    Would blocking opening HTML in word then defang this attack using existing readily available tools if the attack path is opening an HTML file with malicious code in it?

    1. ThatOne Silver badge
      Facepalm

      Sorry but in which reality is it a good idea to let a word processor silently download random stuff from the Wild Wild Web?

      Feature creep at its best.

      1. Yet Another Anonymous coward Silver badge

        All software expands until it can silently install viruses

        1. david 12 Silver badge

          "Any sufficiently complicated ... program contains an ad hoc, informally-specified, bug -ridden, slow implementation of half of Common Lisp."

      2. Doctor Syntax Silver badge

        "Sorry but in which reality is it a good idea"

        In Microsoft's obviously.

        1. ThatOne Silver badge
          Unhappy

          > In Microsoft's obviously.

          Yes, that's the sad part... I mean, I can understand they're greedy bastards, but by now they should have learned some lessons and not make the same mistakes they did back in WinXP days. There is no special monetary profit in persisting being clueless.

          1. Anonymous Coward
            Anonymous Coward

            but by now they should have learned some lessons

            Some of them probably have learned their lesson(s).

            But then there are all the green new hires just out of school. :-(

      3. david 12 Silver badge

        The ability of Word to run enterprise workflows using network objects wasn't feature creep. It was part of the original value proposition.

    2. The Dark Side Of The Mind (TDSOTM)
      Pint

      Nice one. Our "creative" marketing and "digital" departments might be a bit ruffled by that, though.

      Given the fact that the alternative is dire, I might not care this time about the "business' views".

      Have a cold one on my tab :)

  7. ChipsforBreakfast

    The 90's called...

    They'd like their worm back please...

    Son of Melissa??

  8. Doctor Syntax Silver badge

    Somebody publicised this on before notifying MS or possibly after notifying them but before it was patched? Or have I misunderstood?

    1. Michael Wojcik Silver badge

      MS were notified but closed the report as not a security issue. That's mentioned in the article.

      They have since recanted.

  9. James O'Shea

    It appears that

    this is, as usual, a Windows-only problem. It appears to leverage things found only on Windows boxes. So... that means that Word on Macs is. umm, safe? How about the web version of Word? That can work on Windows, and so might be vulnerable... but also works on Macs, and, sort of, on Linux. Can the web version be affected? Enquiring minds want to know. My bowl of popcorn is ready to go.

  10. Auntie Dix
    Mushroom

    Microsoft's TRAP-DOOR "URL Protocols"

    Boy, Micro$haft really left this latest turd to rot for quite some time. Quelle surprise! Reeks of "security through obscurity."

    Macros disabled, there should be nothing more to worry about in Office Fantasyland, except that there is, and most people have no clue about Micro$haft's "URL protocols" and the machinations that it deliberately hides behind them.

    The first time that I saw one of these monikers, my reaction was, "Why is M$ obscuring functionality, via this oddball, non-obvious, proprietary, Registry-buried crap?"

  11. ecofeco Silver badge

    MS never fails to disappoint

    See title.

    If there is one thing you can always count on with MS, it's their never ending quest for failure.

  12. Deimos

    Reclassification time

    How about redefining all M$ products as Russian malware and the Redmond entity as a white supremacist militia ?

    I think that would annoy everyone in authority but please let me know if I missed any buzzwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022