Follina Patch Finally Out!

Diving into details

• Referred to as Follina, the flaw is tracked as CVE-2022-30190. It affects multiple Office versions, including Office 2013, Office 2016, Office 2021, and Office Pro Plus. 
• It works without elevated privileges, bypasses Windows Defender, and runs scripts or binaries without enabling macros. 
• The vulnerability impacts all Windows versions receiving security updates, including Windows 11. 

Abusing the flaw

• A phishing campaign was found targeting U.S. local governments and European governments, via malicious RTF documents. The attackers harvested huge troves of information from browsers, such as Chrome, Edge, Firefox, and Opera. 
• China-based TA413 APT group exploited the flaw to target the international Tibetan community by masquerading as the Women Empowerment Desk of the Central Tibetan Administration. 
• The flaw was, moreover, abused to propagate the Qbot malware by TA570. The group hijacked email threads with HTML attachments. 
• The CERT-UA warned against the Russian Sandworm APT allegedly exploiting Follina, since at least April. The attackers targeted over 500 recipients in Ukrainian media organizations, including newspapers and radio stations. 

Patch is out