Dive Brief:
- Microsoft released Tuesday a long-awaited security update for the Office zero-day vulnerability, two weeks after issuing a workaround and following repeated attacks by nation-state and other threat actors.
- Microsoft urged customers to install the updates as soon as possible. They are included in the June 2022 cumulative Windows updates.
- The Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerabilities Catalog. The move will drive urgent mitigation across federal networks and underscores the need for all organizations to prioritize critical vulnerabilities.
Dive Insight:
The potential resolution of the Follina vulnerability calmed the nerves of security researchers and other industry executives who watched malicious actors try to take advantage of the situation, but others cautioned the risk could linger for a long time.
The widespread use of Microsoft Office made the vulnerability a lucrative target, as an attacker could use Follina to gain access to a system by enticing users to download a malicious Word document or other files. Researchers had contacted Microsoft back in April, but the company did not consider the vulnerability a serious security issue at the time, according to researchers.
Microsoft reported 345 million paid commercial seats for Office 365 in the fiscal third quarter ended in April, a 16% year-over-year increase. The potential for exploitation is high due to the ability of threat actors to deploy email and use social engineering tactics.
Proofpoint is urging customers to quickly deploy the patch, but they cautioned that a vulnerability like this will not go away any time soon.
“This will likely lessen the broad use of this vulnerability, however much like other vulnerabilities easily exploited by email threats, it is likely exploitation will last for many years,” said Sherrod DeGrippo, vice president, threat research and detection at Proofpoint.
DeGrippo said a vulnerability discovered in 2017 in Microsoft Equation Editor remains an issue today.
Scott Walsh, senior security engineer at Coalition, a provider of cyber insurance, said Follina may serve as a wake-up call for the industry to realize that no one is ever really immune to cyber threats.
“Corporate cybersecurity is continually a hot button issue, because we are culturally starting to see that digital risks are the great equalizer of our times and everybody is a target,” Walsh said via email.
Coalition has not yet seen any insurance claims related to Follina, but if organizations fail to patch their systems, claims are expected to follow.
This week, Ukraine officials linked efforts from the threat actor Sandworm to attacks on media organizations using Follina. The Computer Emergency Response Team of Ukraine said threat actors used compromised government emails to target more than 500 recipients.
Federal officials are working with multiple stakeholders to understand how the vulnerability impacted government agencies, private industry and other organizations.
“CISA is working closely with Microsoft and a number of public and private sector partners to understand potential impacts from this vulnerability and urge everyone to patch affected systems,” Eric Goldstein, executive assistant director for cybersecurity at CISA said via email.
A federal official who asked not to be identified said federal agencies are being encouraged to deploy the patch from Microsoft.
Tanium had a number of customers, particularly in the financial services sector, that were impacted by the Follina vulnerability, according to Ken Smiley, director of special projects. The security provider worked with them to remediate with a temporary workaround until an official fix is available.
“The good news is we don’t have any specific instances where customers were attacked,” Smiley said.
Smiley said he didn’t know exactly why so many financial services firms were impacted, but said organizations in the financial industry are generally more on top of zero-day vulnerabilities.