Check Point clarifies about the zero-day vulnerability in Microsoft Office recently revealed by researchers, which, when using a malicious Word document, can allow malicious code to run on a victim’s computer. In the vulnerability called “Follina”, a Word document uses a remote template function to retrieve an HTML file from a remote server. With the help of an ms-msdt MSProtocol URI scheme, PowerShell can be executed.
Remote Code Execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from the execution of malware to the complete control of an attacker over an attacked computer.
Check Point customers are protected by clean, threat-free files. Threat Extraction provides users with clean, threat-free files in real time, ensuring a high level of security while maintaining business flow. Email attachments and web downloads that could be affected by the new vulnerability are cleaned up in real time, so that users receive secure content without exposing them to the risks that could lurk in the original file.
Check Point strongly recommends paying regular attention to the following points:
- Never open documents that you do not expect, even if they come from well-known senders.
- Do not turn off the protected mode of documents coming from the Internet or from e-mail, unless there is a clear need.
- Do not open any .rtf files that come from the Internet, also not in preview mode.
Office 2013, 2016, 2019, 2021 and some versions of Office included in a Microsoft 365 license are affected by this vulnerability on both Windows 10 and Windows 11. Microsoft has published protection instructions and assigned the number CVE-2022-30190 to this vulnerability. The researchers at Check Point are closely following this development and will report further as more information becomes available.