Follina Microsoft Vulnerability

Want to listen instead?

How Can I Prevent the Follina Microsoft Vulnerability?

A new Microsoft Office vulnerability dubbed “Follina” could allow cyberattackers to gain control of impacted systems. We spoke with James Fair about what that means, what you can do, and how collaboration is helping combat this and other attacks.

About the Follina Microsoft Vulnerability

The name Follina: Came from its zero-day code 0438, which happens to be the area code of Follina, Italy.

Follina has been dubbed a zero-day vulnerability for Microsoft office, and folks who aren’t IT consultants are probably wondering exactly what that term means.

Zero-day vulnerability implies that developers have not yet developed a patch for the problem. The term’s literal meaning comes from the knowledge that it’s day zero – the first day of discovering that something is being used “in the wild,” as IT experts call it. Therefore, no patch exists yet.

How it Works: Follina takes advantage of a vulnerability discovered in the Windows support Diagnostics tool. It allows a cybercriminal to send a victim a word document loaded with malware, and their system will execute whatever code is on that document once it is opened.

IT experts like our team have seen a solution, which involves a registry change, but they don’t recommend that path for the average user. However, if you’re tech-savvy and know how to back up your registry before doing so, then you might apply this single-line registry change.

Follina Isn’t a New Concept

Follina isn’t a unique concept. Organizations have been dealing with malware being sent via office documents for years. By no means should you ignore the threat of Follina, but the surest solution remains constant: Don’t click on documents you don’t trust. Don’t open a word document with a suspicious name and a misspelling that arrived at 2 a.m. from someone you think you know. So while, on the one hand, Follina is bad, and it could potentially be exploited, the flip side is that if you’re aware or have some level of healthy paranoia (which we always encourage), then you’re pretty safe. It’s preventable.

Can you Prevent Malware?

The idea that hackers can load malicious code into a word or excel file that could launch a ransomware attack and encrypt your system is not new. Follina just happens to target the Microsoft Diagnostics tool. Microsoft has put a great deal of effort into preventing malware in later revisions of Office. Now when you open a document online, you may see a warning that it’s being opened in Sandbox or protected mode. So unless you open something off your computer locally or by something you set as a trusted source, documents will open in a mode that does not allow executables to run.

Sandbox: A sandbox environment is an isolated virtual machine where potentially unsafe software code can execute without affecting network resources or local applications. Outside of cybersecurity, developers also use sandboxes to run code before widespread deployment, this helps them avoid large-scale outages or errors with their site, app, etc.

However, we still are seeing links sent inside an excel or word document that say something like, “Here’s the link to get to your invoice,” which turns out to be a link to ransomware. That’s how cybercriminals are getting around that protection.

Microsoft has also locked down the actual product. They have more robust email attachment scanning tools, but this current vulnerability is slipping because it’s zero-day, and there’s been nothing yet built to prevent it from coming through.

Currently, our best advice is to be cautious, and when in doubt, don’t open questionable documents.

Collaboration Improves Response Time

Fortunately, the security world is more collaborative than it used to be, which has fostered quicker response times. We’ve already seen someone say, “Hey, we found this exploit,” and then someone else comes back and says, “I’ve found the solution for it,” By 3:00 p.m., Microsoft has released a registry change. Subsequently, all the security sites are saying. “Here, run this registry change or run this command line, and it will stop the exploit from being a challenge.”

Now that code is very open, it should be a matter of days, if not hours, before Microsoft rolls out an update that it will apply automatically, rather than us having to apply these on our own. This more collaborative environment has fostered a quicker turnaround.

Rather than keeping users in the dark, pretending it’s not really happening, or spending months getting a solution ready to roll out, we’re seeing a lot of pressure from online sites. They find flaws, bring them up to Microsoft, and as a result, their turnaround is much faster.

The Computer Fraud and Abuse Act (CFAA)

That collaborative environment also extends to the Justice Department recently changing its tune on the Computer Fraud and Abuse Act, also known as the CFAA. Initially introduced in 1986, it gave much leeway to prosecute anyone who seemed to be hacking anything.

Back in ’71, a guy named Steve Jobs, another named Steve Wozniak, exploited AT&Ts phone system to print call the pope using a device they made called a blue box. Nowadays, people are being threatened with prison sentences for anything like that, which is perceived as a hack.

In 2011, Aaron Swartz downloaded millions of academic articles through a subscription database service that MIT had given him access to via a guest account. He was threatened with 35 years in prison and a $1 million fine, and he ended up committing suicide over it.

The law is very subject to interpretation, which can be very heavy-handed. If some white-hat hacker comes along and says, “Hey, I found this exploit,” the justice department could ask, “Well, how did you find it? You had to attempt to “hack” in order to discover that vulnerability, so now you can be prosecuted under this law.”

CFAA Changes

Now, they are finally getting smart about this and realizing that if they keep this up, good people are going to stop attempting to find problems and alert the world to issues that we need to do something about.

Previously, this law seemed to apply to things as innocuous as using a fake birthday when setting up some sort of online profile. All of us have fudged that at some point, whether entering a fake email address or a fake birthday, because you don’t want to give your information. That’s violating terms of service, which technically violates this act.

However, this is a policy change, not a law change. No one has updated the CFAA yet. That means that depending on the administration and the Supreme Court, their enforcement interpretation could change again. We certainly hope it and that we continue to be headed in the right direction.


The bottom line for today and dealing with Follina from a business perspective remains the same:

  • As always, please maintain a healthy paranoia about your email, which is the most common attack vector.
  • Watch for suspicious emails, and don’t click on them.
  • Reach out. If you’re unsure, ask your IT department. If you know the person, but it still feels off, reach out to that person via chat/phone and get confirmation.

It’s unlikely that your grandma sent you an email at 3 a.m. telling you to click a link, even though she may have been up that early. Be aware, and be safe!

This article was written from one of our Between the Bytes podcast episodes, you can find all of our episodes here!

Related Insights