Microsoft finally fixes Windows zero-day flaw exploited by state-backed hackers

Microsoft has finally released a fix for “Follina,” a zero-day vulnerability in Windows that’s being actively exploited by state-backed hackers.

A fix for the high-severity vulnerability — tracked as CVE-2022-30190 — has been released as part of Microsoft’s monthly release of security patches, known as Patch Tuesday. But as noted by cybersecurity firm Sophos, the fix isn’t on the list of patches included in the release — though it has confirmed Follina is now mitigated.

“Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability,” Microsoft said in a June 14 update to its original advisory.

The Follina flaw has been exploited by attackers to execute malicious PowerShell commands by way of the Microsoft Diagnostic Tool (MSDT) when opening or previewing malicious Office documents, even if macros are disabled. The vulnerability affects all Windows versions still receiving security updates, including Windows 11, and enables threat actors to view or delete data, install programs and create new accounts on compromised systems.

Cybersecurity researchers first observed hackers exploiting the flaw to target Russian and Belarussian users in April, and enterprise security firm Proofpoint last month said that a Chinese state-sponsored hacking group was exploiting the zero-day in attacks targeting the international Tibetan community. Follina is now also being abused by a Chinese threat group tagged as TA570 in ongoing phishing campaigns to infect victims with the Qbot banking trojan and in phishing attacks targeting U.S. and European government agencies.

The Follina zero-day was initially flagged to Microsoft on April 12. However, a security researcher who goes by the handle Crazyman and was credited with first reporting the vulnerability said in a tweet that Microsoft initially tagged the flaw as not a “security-related issue”.

“There was significant speculation leading up to Patch Tuesday about whether Microsoft would be releasing patches given Microsoft’s initial dismissal of the flaw and its widespread exploitation in the weeks since its public disclosure,” Claire Tills, senior research engineer at cybersecurity firm Tenable, tells TechCrunch, noting that this is becoming a “worrying trend.”

“Tenable discovered and disclosed two vulnerabilities in Microsoft’s Azure Synapse Analytics, one of which has been patched and one which has not,” she added. Neither of these vulnerabilities were assigned CVE numbers or documented in Microsoft’s security update guide for June.”

In addition to mitigating Follina, Microsoft fixed three “critical” remote code execution (RCE) flaws. However, none of these have yet been actively exploited.