Security Advisory Regarding Follina

By Rob Hooven|Published On: May 31st, 2022|

CVE-2022-30190 (Follina) Details

Hurricane Labs is aware of the recent CVE-2022-30190 / Follina Zero-Day. Follina is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Affected Products

Microsoft Word / Office & Windows (all versions)

Known Attack Vectors

The known attack vectors include documents and attachments that are opened in preview windows or full-application suites that have the MSDT URL protocol enabled. This includes attachments sent in Outlook that have a Word or Rich Text Format that can trigger the URL protocol for no-click execution of the remote code. Microsoft Word’s remote template feature is leveraged to retrieve an HTML file from a remote web server, which then triggers the ms-msdt MSProtocol URI scheme to load code and execute PowerShell commands.

Should I be concerned?

This remote code execution vulnerability is certainly concerning, and the available mitigations listed below should be applied as appropriate in your environment. Because the attack vector requires no actual user interaction other than previewing an email or attachment, anyone is vulnerable.

Detection and mitigation

For workarounds as well as detection and protections, refer to the Guidance for CVE-2022-30190 post by Microsoft Security Response Center.

For details on how to disable the File Type association for ms-msdt or to disable preview in Windows Explorer, see here.

Resolution

There are no current remediation measures in place from Microsoft in the form of patches as of this writing. Microsoft will provide updates on this vulnerability here.

Hurricane Labs’ recommended actions

Hurricane Labs recommends that you patch all software and update antivirus suites to the latest versions, along with applying the available mitigations listed in this advisory.

References

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability via Microsoft Security Response Center
New Microsoft Office Zero-day “Follina” – Detection & Response via SOC Investigation
Automating with PowerShell: Enable M365 activity based time-out & Office Code Execution fix via CyberDrain
Follina — a Microsoft Office code execution vulnerability via DoublePulsar

For more information on Hurricane Labs services, visit our Security Services page.

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.