With the productivity suite battle between Microsoft 365 and Google Workspace hotting up, the last thing either of these tech giants will want is news of cybersecurity vulnerabilities affecting their flagship programs. Unfortunately for Microsoft, however, that is exactly what has happened as a new zero-day vulnerability found in Word is giving hackers a way to take control of victims’ computers. Let’s dig in a little deeper.
The vulnerability was first discovered on May 27, by cybersecurity research team nao_sec, who tweeted about it that day. They identified a strange Word document that had been uploaded from an IP address in Belarus and identified it as a zero-day vulnerability in Office.
This new zero-day vulnerability allows third-party actors to execute code from within Office. It has since been called Follina by Kevin Beaumont, a subsequent researcher who has been looking into it. Basically, according to Beaumont, “Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things.”
In his long investigation into Follina, Beaumont highlights some of the victims that have been exploited by the bug. Shockingly, these even include attempts at extortion through the use of false sexual misconduct allegations. Other exploits include downloading malicious software and sharing private documents and files.
Unfortunately, Microsoft still doesn’t have a patch for this vulnerability, but the company has released a workaround, which includes disabling the Microsoft Support Diagnostic tool (MSDT). Unfortunately, however, that isn’t really very helpful for the majority of Word users who don’t even know what that is.
If you feel comfortable following the instructions laid out in the link above, do it. If not, the main things you need to do right now then are to make sure you are only ever downloading files from safe and reputable sources and if you are unsure about any files you have downloaded recently, switch to using an alternative Word processing program like Google Docs until we learn that Microsoft has pushed out a bug to the problem. It isn’t a perfect solution but until Microsoft releases the patch it is the safest way to protect yourself. As always, keep yourselves safe by checking out our guide to avoid phishing scams, which will help you avoid downloading dangerous files.
