Critical vulnerability: Malicious code infiltrated via Microsoft Office

02 Jun 2022
Illustration office icons
Beware of emails with file attachments! There is a zero-day vulnerability through which malicious code can be downloaded and executed via Word documents. There is no official update to close the vulnerability yet.

Folina vulnerability

The German Federal Office for Information Security (BSI) warns of the Folina vulnerability, in which an attacker can possibly download an HTML file from the internet using a prepared Word file. This is made possible by the remote template function contained in Microsoft Office. This can be misused to further execute PowerShell code. This would allow the attacker to install programmes, view, change or delete data.

Affected versions

It affects the 2013, 2016, 2019, 2021 and 365 Office products on Windows 10, as well as Windows 11 in conjunction with the Microsoft Support Diagnostic Tool (MSDT).

How to protect yourself

Be suspicious even of supposedly familiar senders. If you notice a difference between the displayed sender name and the sender address, this is a clear indication of a spam mail. Always be careful with file attachments in e-mails (especially Office documents). If in doubt, contact the sender by telephone.

Only open Office documents from trustworthy sources. Be particularly careful with documents in RTF format, as malicious code can already be executed via the preview in Windows Explorer.

Do you have questions about e-mails or IT security? Then please contact the IT Service Desk by e-mail at servicedeskattu-freiberg [dot] de or by telephone at 1818.

Workaround: Deactivate MSDT

As a workaround, Microsoft recommends disabling the "Microsoft Support Diagnostic Tool" (MSDT).

Note: This is not a definitive security solution!

ScreenshotClick on the Windows sign (1) at the bottom left.

After clicking (1), simply start typing "power" (2) or search for "Windows Powershell" (3).

ScreenshotRight-click on "Windows Powershell" and select "Run as administrator".

ScreenshotConfirm the following dialogue with "Yes".

You have now started Windows Powershell as an administrator.

ScreenshotInsert the following commands.

New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR

Remove-Item -Path "HKCR:\ms-msdt" –Recurse

ScreenshotIf you get the following error message, then everything is fine:

"Der Pfad HKCR:\ms-msdt" kann nicht gefunden werden, da er nicht vorhanden ist."

You can now close the Powershell.

For Office 2019

If you are using Office 2019, you will need to add one more command to the previous steps:

Remove-Item -Path "HKCR:\search-ms" -Recurse

Screenshot

In this input and output, the key has been successfully deleted.

Screenshot

With this error message everything is OK. In this case you did not have this key.

Further information