Tag

#office

2 posts tagged #office.

Analysis · May 20, 2026 · The Commentary Desk

Everyone hardened against macros. Follina didn't use one.

CVE-2022-30190 (Follina) ran code from a Word document with no macro at all, by abusing a Windows URL protocol handler to invoke the Support Diagnostic Tool. It defeated macro-based defenses, and Microsoft had reportedly closed an earlier report as 'not a security issue.'
Analysis · May 20, 2026 · analysis-desk

Known exploited, no patch: what to do in the weeks before a fix exists

When Microsoft disclosed CVE-2023-36884, it was already being used by a Russian group against governments, and there was no patch for weeks. Only mitigations. That scenario is more common than a patch-centric process assumes, and mitigations are the plan, not a consolation prize.