Blog: DFIR
Follina 0day exploit. Malicious code execution in Office docs
Disclaimer: I know this isn’t a unique post on the subject, and that many other outlets are covering it, but this zero-day is so serious that it needs as much coverage as possible. It simply needs shouting about.
Updated 06/06/2022 following advice from Microsoft’s @reybango.
The vulnerability was reported to Microsoft by Shadow Chaser Group member @CrazymanArmy.
What is it?
It exists in Microsoft Windows Support Diagnostic Tool (MSDT), enabling remote code execution. It’s been assigned a CVE and Microsoft provide details here CVE-2022-30190.
Microsoft says:
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Put more simply; it makes Arbitrary Code Execution attacks possible when previewing or opening documents.
How do I deal with it?
There are two protocol handlers that need to be unregistered: ms-msdt and search-ms.
ms-msdt
Microsoft were quick to publish a workaround to prevent attacks that exploit the vulnerability: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
The advice in that post is to disable the MSDT URL Protocol:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
search-ms
@hackerfantastic published advice here. He said “Note that this is not CVE-2022-30190 but uses the same OLEObject vector as CVE-2021-40444 and CVE-2022-30190, however as it requires additional user interaction and an outbound UNC connection the CVSS risk score is reduced. It is also currently unpatched but mitigation steps work“.
The steps are:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\search-ms filename“
- Execute command “reg delete HKEY_CLASSES_ROOT\search-ms /f”.
As with all workarounds it’s on you to vet and investigate before deploying them.
There’s more detail from the nao_sec cyber security research team here.
SANS have produced an analysis and remediation video here.
- 19:20 Mitigations
- 27:50 Detecting
Why is it called Follina?
Here’s why, thanks @GossiTheDog!