0patch releases free fix for Follina vulnerability in Windows as Microsoft apparently can't be bothered
This week, we have written about the Follina zero-day vulnerability that allows for remote code execution on a victim's computer. Despite having been known about for a number of weeks, Microsoft is still yet to issue a patch for the actively exploited critical security flaw, instead simply offering details of a workaround.
As has been the case in the past, a third party has come to the rescue. Micro-patching firm 0patch has released a free fix for the vulnerability -- for Windows 11, Windows 10, Windows 7 and Windows Server 2008 R2 -- which is tracked as CVE-2022-30190 and relates to the Microsoft Windows Support Diagnostic Tool (MSDT) component of Windows.
Why has Microsoft still not fixed a weeks-old, actively exploited vulnerability affecting Windows 11 and more?
Yesterday we wrote about a zero-day vulnerability called Follina which allows for remote code execution on a victim's computer. While the flow -- tracked as CVE-2022-30190 -- has been described as an Office vulnerability, it is really the result of a security issue with a component of Windows.
A problem exists in the Microsoft Windows Support Diagnostic Tool (MSDT) which is found in all supported versions of Windows, including Windows 11. The vulnerability has been billed as an Office vulnerability as using a malicious Word file is one of the easiest attack vectors to exploit the flaw. But what is worrying about the vulnerability, apart from the fact that Microsoft has not fixed it yet, is that the company was made aware of the fact that it was being actively exploited way back on April 12.
Microsoft reveals workaround for Office zero-day vulnerability that can be used to launch malicious PowerShell commands
While Microsoft may be quick to point out security vulnerabilities in other companies' products, its own software is far from infallible. A good example of this is the recently discovered 'Follina' security hole that affects Microsoft Office.
The vulnerability can be exploited to launch PowerShell and execute a variety of malicious commands; all that a victim needs to do is open a specially crafted Word file. Tracked as CVE-2022-30190, Microsoft has released details of a workaround that helps to mitigate the issue.