A gaping vulnerability in a very common set of computer programs is putting your assets at risk. As news of a Microsoft’s (NASDAQ:MSFT) Office exploit surfaces, blockchain security company CertiK warns users that the implications for crypto theft are massive. The news shows how bad actors are adapting to theft mitigation efforts and looking to more subversive methods for stealing assets.
Earlier this week, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) revealed a critical zero-day vulnerability in Microsoft’s Office product suite. A “zero-day vulnerability” is a term referring to a bug had previously been completely unnoticed, and thus unpatched, by the developers. Dubbed the “Follina” vulnerability, the bug targets the Microsoft Support Diagnostic Tool (MSDT) used not just on Office products, but most Microsoft offerings in general.
Using Follina, hackers can take control of an entire computer system by gaining certain administrator privileges through MSDT. From there, they can slowly take full control over the computer. The exploit is delivered through phishing scams; hackers gets victims to open Office files in order to get their foot in the door. From there, they can begin slowly taking over a device’s privileges.
Microsoft is confirming the existence of this vulnerability this week. In addition, it is providing steps for Office owners to take to ensure hackers will have a more difficult time exploiting the vulnerability. As of right now, the solution seems to be disabling the MSDT of Office programs.
CertiK Warns That Crypto Users Are Among the Most at Risk
The Follina bug is no good for any computer user; having somebody access your personal information is a scary and vulnerable experience. Hackers can use the bug to access private documents, manipulate files and impersonate users to lure in more victims. But, CertiK warns that investors who store digital assets online should be paying extra attention to the news.
A spokesperson for CertiK provides InvestorPlace with the company’s detailed report on the Follina bug. Reframing the hack in a crypto context, the company reports that the exploit allows hackers access to sensitive information, including passwords used to protect assets online. Take non-custodial wallet MetaMask, for example: With Follina, hackers can access a victim’s MetaMask browser extension with ease. Using passwords stored on the device’s memory, these hackers can quickly move crypto assets to another wallet.
With this in mind, CertiK emphasizes the importance of storing one’s private keys offline. Using hardware wallets like Trezor render hackers incapable of stealing assets using the Follina bug alone. “Neglecting to use a hardware wallet is the predominant reason a zero-day vulnerability such as this one results in stolen crypto funds,” the company says.
CertiK says that the bug is just another example of phishing’s growing popularity as a method of scamming in 2022. “These types of attacks will continue to grow due to its low cost and how adaptable phishers tend to be in evading the latest defenses,” CertiK says. The rise in popularity of platforms like Discord or Telegram is another reason for this rise; through these, it’s becoming even easier for hackers to distribute malicious links.
The news is massive, too, because it reminds investors that no company is safe from scams. Even tech monoliths like Microsoft aren’t foolproof against the increasingly pervasive scam industry. On Twitter, CertiK is using the discovery as a call to action to “take security measures to secure Web3.”
On the date of publication, Brenden Rearick did not have (either directly or indirectly) any positions in the securities mentioned in this article. The opinions expressed in this article are those of the writer, subject to the InvestorPlace.com Publishing Guidelines.