This is one update that all Windows users will want to install as soon as they can: If successful in an attack, a hacker can use this vulnerability to view, change, and delete data, as well as create new Windows accounts in the software. Some critics have called out Microsoft for the time they took to issue the patch, saying the software corporation should have taken action several years ago when the flaw was first disclosed in a 2020 academic paper.

The Follina Zero-Day Flaw

The exploitable flaw allows hackers to create a malicious Word document that ultimately gives the hacker undetectable control of the Microsoft Support Diagnostic Tool. Without Microsoft’s latest patch, this zero-day vulnerability lets hackers infect all currently supported versions of Windows.

Critics Call Microsoft’s Response Too Slow

Once a potentially exploitable software flaw is live, in many cases it’s impossible to say if it has been discovered and used by a hacker. With the Follina flaw, though, evidence proves that hackers have exploited it, both by state-backed actors and by cybercriminals. In one case, a Chinese hacking group used the bug in attacks aimed at the Tibetan diaspora, and in another instance, it was used in phishing attacks targeting both US and EU government agencies. As a recent ArsTechnica article details, a description of the flaw was available to Microsoft since 2020, and researchers from Shadow Chaser Group said this April that they had reported to Microsoft an ongoing malicious spam campaign exploiting Follina. However, despite multiple warnings, Microsoft didn’t term Follina as a vulnerability until May 30. One it acknowledged the flaw, Microsoft immediately suggested multiple workarounds and issued its full patch two weeks later. Hopefully, Microsoft moves forward from this public criticism with a renewed focus on keeping security tight. If not, we’ll keep hearing about critical security flaws after they’ve been exploited and not before. For the typical Windows user, there’s not much recourse aside from investing in antivirus software and — in this particular case — refraining from ever opening Word files from suspicious sources.