How to defend yourself from “Follina”, the Windows bug with the Italian name

How to defend yourself from “Follina”, the Windows bug with the Italian name
Written by aquitodovale

Once Follina, a small town of 3,800 inhabitants Unesco Heritage in the Province of Treviso, was famous for its splendid Abbey of Santa Maria. Today it is a bit famous even for a bugvery dangerous, of the operating system Microsoft Windows which bears his name. A name that derives from a coincidence, but which helps us to better identify the problem.

Because Follina is a big problem: After several months of completely ignoring it, on May 30, 2022, Microsoft officially recognized this bug as dangerous vulnerability for Windows security and assigned it a Common Vulnerabilities and Exposures (CVE) number and a threat score equal to 7.8 out of 10. Not bad for a bug that bears the name of a village. The reason for so much danger is above all one: Follina is a so-called vulnerability “low interaction remote code execution“. This means that it can be exploited remotely and that one is enough minimal interaction by the user, who hardly has to do anything to activate it. And, by activating it, you can allow a hacker to spy on user data and to transmit anything and everything to the victim’s computer. included various types of malware and viruses.

How Follina works

Follina, explain several security researchers, is specifically a vulnerability of Microsoft Office which allows hackers to attack Microsoft Windows. Everything starts from the usual attached file to the usual email but, unlike other vulnerabilities, the user does not need to open the file and activate macros to execute a code.

On the contrary, Follina is based onfile preview automatically generated by Office and Windows. In fact, inside the preview of the file, some malicious codes that allow you to activate the Microsoft Support Diagnostic Tool (MSDT). The MSDT is a diagnostic tool found in Windows (from Windows 7 onwards), which is used by Microsoft’s online support when diagnosing problems.

There sequence of the attack, therefore, it is more or less this: the user opens the email, which contains the attachment, which contains the code that activates MSDT and thanks to which an attacker can remotely act on the victim’s computer. Windows, in his description of Follina (CVE-2022-30190), explains that the attacker can “install programs, view, modify and delete data, create new accounts based on the privileges of the attacked user“.

Because it is called Follina

At this point, well before, you may be wondering why this security bug has been renamed “Follina“, Like the Municipality in the Upper Treviso area. The reason is bizarre, but simple.

The security researcher Kevin Beaumont found, in one of the first attempted attacks, a file Word attachment (the one used to activate the vulnerability) with the name “05-2022-0438[.]doc“. The number 0438 it is also the telephone area code of Follina, hence the choice of the name of this dangerous bug.

Follina has already been exploited

Since Follina hit the headlines, several companies that develop systems of cyber security And antivirus they began to describe probable attacks that have already occurred exploiting the bug.

According to Proofpointfor example, the Chinese hacker collective TA413 (which appears to be linked to the Beijing government) has already actively exploited the Follina vulnerability to target the Tibetan central administration (i.e. the Tibetan government in exile).

According to MalwareHunterTeam Italian, on the other hand, Follina would have been used to transmit virus-infected files attached in Chinese. KasperskyFurthermore, it has already recorded several attacks in the USA, Brazil, Mexico and Russia.

The latest attack attempt by Follina is the one contained in one e-mail, thankfully in English, which has been shooting in the last few days. The email mentions a salary increaseas per the attached contract“: The user just needs to click on the attached document to open its preview and trigger Follina.

How to defend yourself from Follina

Follina, therefore, is very dangerous and Microsoft finally certifies it with one score of 7.8 / 10. Unfortunately, though, Microsoft hasn’t released one yet patch, that is, a patch that closes the security flaw. There are, however, at least two ways to defend yourself from Follina.

Since everything almost always starts with an email with an attachment, the first thing to do is lock the mailbox using a good antivirus that can do a thorough scan of attachments. In this way, if one of the attachments has been structured to take advantage of Follina, the email will be blocked.

Microsoft remembers that, integrated into Windows, it is always there Microsoft Defender. Microsoft’s free antivirus may be enough to block attacks based on Follina but, explains the Redmond house, for this to be true it is also necessary to leave the cloud protection.

Then it should be remembered that Follina uses the Microsoft Support Diagnostic Toolthat it is not an essential component Windows and can also be disabled. To do this, however, you need to put your hand to system log and this is always a very delicate and potentially dangerous operation, not suitable for a beginner.

Waiting for Microsoft to publish a patch against Follina, therefore, perhaps it is the case with take the computer to a technician and ask him to do everything possible to “strengthen the immune system“of Windows.


#defend #Follina #Windows #bug #Italian

About the author


Leave a Comment