Security researchers from different organizations have observed a Zero-Day novel vulnerability on Microsoft Office that may allow loading malware from remote servers without detection in a multi-stage attack. 

Kevin Beaumont, a security researcher, has named it “Follina” because the retrieved sample infected Word file included the area code of Follina on its filename. Nao Sec first documented a sample of it, which identified it came from an IP address from Belarus.

Microsoft tracked the vulnerability as CVE-2022-30190 affecting Microsoft Support Diagnostic Tool (MSDT) in Windows.

UPDATE: As of June 14(PST): One of the fixes that were released by Microsoft in its June 2022 Patch Tuesday was for the Windows MSDT Zero-Day Vulnerability known as Follina(CVE-2022-30190). Microsoft urged users and administrators to install the update as soon as possible.

______________________________

A. Nature of Vulnerability

Successful exploitation of the vulnerability may allow the document to use the Word remote template to retrieve HTML file from a remote server, which uses the ms-msdt protocol URI scheme to load some code and execute some PowerShell.

Since ms-msdt protocol is being used, macros are no longer needed to execute the malicious code. It can also bypass the Protected View feature by changing the document to RTF form. By doing so, the code can run without even opening the document via the preview tab in Explorer.

______________________________

B. Actions to be Taken

  • Having an anti-virus software and/or host-based detection tool running with the latest version is a must.
  • Users/Administrators may follow the temporary workaround.
    • Disable the MSDT URL Protocol
      • Run Command Prompt as Administrator.
      • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
      • Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
    • How to undo the workaround
      • Run Command Prompt as Administrator.
      • To back up the registry key, execute the command “reg import filename”
    • Disable preview in Windows Explorer
      • If you have the preview pane enabled, you can:
        • Open File Explorer.
        • Click on View Tab.
        • Click on Preview Pane to hide it.
  • Regularly check and apply the latest patch of software, especially to public-facing applications.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Having a good backup of the system before patching is a good practice, in case there are anomalies and issues encountered.
  • In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
  • For additional information, kindly refer to the official Advisory:
    • https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    • https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
    • https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/
  • Kindly refer to the official guidance released here as of June 14 (PST):
    • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
    • https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/