Yesterday we reported the emergence of a new zero-day affecting Microsoft Office and other Microsoft products, dubbed Follina by researcher Kevin Beaumont. The issue exists in all currently supported Windows versions, and can be leveraged via Microsoft Office versions 2013 to Office 2019, Office 2021, Office 365, and Office ProPlus.
The vulnerability was unearthed by the nao_sec research team, following the discovery of a Word Document uploaded to VirusTotal from a Belarusian IP address. The researchers posted a series of tweets detailing their discovery. The flaw leverages Microsoft Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.
Follina Vulnerability Now Given a CVE Identifier
Microsoft has just shared mitigation techniques against Follina, which is now assigned the CVE-2022-30190 identifier. The vulnerability is a remote code execution issue that affects the Microsoft Windows Support Diagnostic Tool (MSDT). Shortly said, the zero-day allows code execution in a range of Microsoft products, which can be exploited in various attack scenarios. Furthermore, the vulnerability “breaks the boundary of having macros disabled,” with vendor detection being very poor.
According to Microsoft’s newly released blog, CVE-2022-30190 is triggered when MSDT is called using the URL protocol from a calling application:
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
How Can CVE-2022-30190 Be Mitigated?
“Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system,” Microsoft said. You can still access troubleshooters by using the Get Help application, as well as in system settings. The steps that should be taken to mitigate the vulnerability are the following:
1.Run Command Prompt as Administrator.
2.To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3.Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
We will update this article when new information about CVE-2022-30190 appears.