Follina in the Wild
Summary
Microsoft published guidance for a vulnerability impacting the Microsoft Support Diagnostic Tool (MSDT). This vulnerability is also known as “Follina” and has been designated CVE-2022-30190. From last year’s trends, we know that Phishing is the top attack vector being utilized by ATP groups to establish a foothold. Described by Microsoft as a remote code execution flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) and tracked as CVE-2022-30190, it impacts all Windows client and server platforms still receiving security updates (Windows 7 or later and Windows Server 2008 or later).
Given the low level of complexity to execute this vulnerability and the security community has seen active use in the wild indicate this should be remediated to limit and prevent risk. Chinese-linked threat actors are now actively exploiting a Microsoft Office zero-day vulnerability (known as ‘Follina’) to execute malicious code remotely on Windows systems.
Advisory Details
Date: May 30thth 2022
Update: June 1st 2022
Risk: Critical
Priority: Critical
Remediation
Although a patch for this vulnerability is not yet provided, we recommend the following the mitigations provided by Microsoft
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/
Disabling the MSDT URL Protocol
- Run the Command Prompt as Administrator.
- Execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename,” to back up the registry.
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f,” to block the MSDT URL protocol from accessing embedded URLs in word docs.
Disable the Preview pane in Windows Explorer since this is another attack vector exploitable when targets preview the malicious documents.
Reference
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/