Security Advisory Regarding Follina
CVE-2022-30190 (Follina) Details
Hurricane Labs is aware of the recent CVE-2022-30190 / Follina Zero-Day. Follina is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.
An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Microsoft Word / Office & Windows (all versions)
Known Attack Vectors
The known attack vectors include documents and attachments that are opened in preview windows or full-application suites that have the MSDT URL protocol enabled. This includes attachments sent in Outlook that have a Word or Rich Text Format that can trigger the URL protocol for no-click execution of the remote code. Microsoft Word’s remote template feature is leveraged to retrieve an HTML file from a remote web server, which then triggers the ms-msdt MSProtocol URI scheme to load code and execute PowerShell commands.
Should I be concerned?
This remote code execution vulnerability is certainly concerning, and the available mitigations listed below should be applied as appropriate in your environment. Because the attack vector requires no actual user interaction other than previewing an email or attachment, anyone is vulnerable.
Detection and mitigation
For workarounds as well as detection and protections, refer to the Guidance for CVE-2022-30190 post by Microsoft Security Response Center.
For details on how to disable the File Type association for ms-msdt or to disable preview in Windows Explorer, see here.
There are no current remediation measures in place from Microsoft in the form of patches as of this writing. Microsoft will provide updates on this vulnerability here.
Hurricane Labs’ recommended actions
Hurricane Labs recommends that you patch all software and update antivirus suites to the latest versions, along with applying the available mitigations listed in this advisory.
- Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability via Microsoft Security Response Center
- New Microsoft Office Zero-day “Follina” – Detection & Response via SOC Investigation
- Automating with PowerShell: Enable M365 activity based time-out & Office Code Execution fix via CyberDrain
- Follina — a Microsoft Office code execution vulnerability via DoublePulsar
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.