Skip to content

Portal

ECToday Announcements (Faculty/Staff)

Cybersecurity Advisory: Microsoft "Follina"

High priority
Posted By Jorge Valenzuela-Sanchez
Tue, Jun 7 2022 at 7:37 AM

Recently, news regarding a new critical vulnerability in Windows has been disclosed, and we wanted to bring a quick advisory to our community.

 

The new vulnerability, dubbed "Follina", is primarily spread via malicious Office 365 files (think Word, Excel, PowerPoint, etc.), and is classified as a "zero-click" vulnerability. Essentially, that means you do not need to interact with the file in any way for the vulnerability to be executed, the file only needs to exist on the system.

 

If successfully carried out, the attack allows a remote actor to execute malicious code of their choosing, which could lead to things such as password or data theft.

 

So, what can you do to protect yourself and your devices? We've put a few tips below for how to keep yourself safe. The best part is these tips don't only apply here, they can keep you safe in other situations, too:

  • Be overly cautious of files that you did not request: If you receive a file attached to an email, or you receive any emails claiming that someone has "shared" a file with you (usually through SharePoint or Google Drive), but you did not request that file yourself, or you have no knowledge that this file would be sent to you, do not download the file and trash the email.
  • Do not download Microsoft Office files from the open Internet: Until an official fix is released by Microsoft, avoid downloading all Microsoft Office files from the open Internet, even if you think the source is trusted (such as community-built Excel templates). The ease of execution means anybody could potentially upload malicious files to third-party websites.
  • Impersonation attempts: If you receive an email claiming to be from President Manion, or another member of Edgewood College's Leadership, asking you to download a file for a "task" that "needs to be done immediately", verify with that member directly, or your direct supervisor, before taking any actions.

While Edgewood College owned devices are protected in the event of an accidental execution by CrowdStrike, that protection does not extend to your personal devices. We would encourage our community to use caution, and as always, keep your devices up-to-date to get the latest security protections.

 

This message is brought to you by Edgewood College Information Technology Services Office.

Back to main screen