Microsoft Vulnerability: Follina Part 1

6/1/2022: New MS Office vulnerability is currently in the wild. What you need to know

Over the weekend, security researchers found an interesting file and bug in the Microsoft Windows Support Diagnostic Tool (MSDT). After the analysis of the file, researchers were able to identify a vulnerability in MSDT which was quickly named “Follina” prior to CVE-2022-30190 being issued.

The discovered 0-Day vulnerability in MSDT leverages a vulnerable call in URL handling which allows Remote Code Execution that impacts several versions of Microsoft Office. Attackers who successfully exploit this vulnerability can run arbitrary code with the privileges of the calling application.

In other words, an attacker can craft a minimal package which does not require a person to open the file and the malicious code will execute and have the same rights as the user.

This vulnerability is being actively exploited in the wild.

Microsoft has published a workaround (below); however, security researchers (and hackers) are finding additional ways to exploit the vulnerability even with the applied workaround. Here’s the current recommendations:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

We will provide another update with clear instructions for you and your team after they are made available and proven to be reliable from Microsoft.

The key takeaway here is that a user does have to open or interact with an infected document. For example, interaction includes simply listing the contents of the directory that include a maliciously modified document. Other examples include hovering over the file in the Outlook reading pane.

Our recommendation is: communication to users about opening or viewing unexpected office documents.

There’s already a Metasploit module for this, and it should be considered a very active zero day.

For more information on the CVE:

For more information on the mitigation strategies provided by Microsoft: