back to article Symantec: More malware operators moving in to exploit Follina

While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it. Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. …

  1. Pascal Monett Silver badge

    "a specially crafted Word document"

    Once again, an attack that is based on the user opening an attachment from someone they don't know.

    I've been getting a few mails this week with the subject "Re: your order is blocked", containing an attachment.

    I haven't ordered anything. If you really think I'm stupid enough to open an attachment from an email I did not request concerning something I did not order, I just wish I had Thor's lightning at my disposal, because I would use it.


    1. IGotOut Silver badge

      Re: "a specially crafted Word document"

      Except for the purchasing department that get a thousand such emails a week.

      1. VoiceOfTruth

        Re: "a specially crafted Word document"

        Try the HR department. Please send us your CVs in Word format. OK...

    2. Michael Wojcik Silver badge

      Re: "a specially crafted Word document"

      Proofpoint recently reported that in organizations they monitor, a majority of phishing messages that make it to end users were coming from compromised vendors and partners. So in many cases it will be people opening attachments from emails which came from the accounts of people they do know.

      You could argue the real problem is MIME (I have never liked MIME), but realistically if we didn't have MIME we'd probably be doing something else equally dangerous.

      The real real problem, of course, is MS Office.

  2. Arthur Daily

    Please Explain

    Why is there some proprietary protocol back-channel talking to MS HQ - in a text processing program. Say WORD for DOS. Every MS protocol - say SMB or this back-channel is bad security, and obscure to deliberate privacy intrusion. Lets hope the EU investigates data leakage . If my document had 'Takeover Bid' some inside traders would be well placed. Lets investigate what leaked, and how much over time.

    1. david 12 Silver badge

      Re: Please Explain


      This is a Diagnostic / Debug API for desktop support. The API doesn't 'talk to MS' and it's a 'protocol' only in the loosest sense.

      The problem is that it's a generic support API that allows use of generic OS functions to report generic applications, for use by generic support organizations.

      Unfortunately, 'generic support organizations' includes criminals as well as your support desk, 'generic OS functions' include downloading and executing malware as well as debug and repair objects, and 'generic support API' supports Outlook, Office, Edge and any other private or open-source application that chooses to use the API.

  3. Anonymous Coward
    Anonymous Coward

    A better question

    Is how many other magic url types for it's own purposes has MS embedded?

    guaranteed this is not the only one or two....I've seen at least one other that looks like a possible attack vector

    1. Anonymous Coward
      Anonymous Coward

      Re: A better question

      There's probably loads. Teams has one, and the Teams API is pretty much Swiss cheese as far as I can tell. When people start getting their hands on that things are gonna get juicy.

    2. Anonymous Coward
      Anonymous Coward

      Re: A better question

      So we should all trust Window's built-in security as 'good enough' then?

  4. Colin Bull 1

    RTF - WTF

    How can an RTF document carry a payload - I thought it was effectively a text document.

    1. Dave Pickles

      Re: RTF - WTF

      RTF documents can include OLE objects.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like