Follina: A New Microsoft Office and Windows Zero-Day Vulnerability

By: Kevin O’Connor / Director of Threat Research at Adlumin, Inc.

On Friday, May 27, 2022, a new zero-day remote code execution vulnerability was reported by security researcher “nao_sec” on Twitter. Validated by the community and given the Common Vulnerabilities and Exposure (CVE) designation CVE-2022-30190, the vulnerability dubbed Follina, takes advantage of a flaw in Microsoft Office. It allows attackers to call the Microsoft Support Diagnostics Tool (msdt.exe) to launch malicious executions, including PowerShell commands.

The vulnerability has been confirmed as present and effective against Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 and affects the following operating systems: Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It leaves most combinations of Office and Windows susceptible to exploitation and should be assumed that all versions of Office are vulnerable.

Technical Details

Follina was first observed as active in the wild and took advantage of a flaw in Microsoft Office and Windows, which allows for arbitrary remote code execution giving attackers potential control of the victim’s machine. Unlike traditional Microsoft Office-based attacks, which typically leverage document macro functionality to gain execution—a generally mitigated strategy—Follina takes advantage of Office’s remote template feature to gain initial execution.

The office template feature allows the infected file to retrieve a remote HTML file containing JavaScript code that executes malicious code in the command line using the Microsoft Support Diagnostics Tool (MSDT / msdt.exe). As a result, PowerShell scripts are typically run at the opening user’s privilege level, allowing the attacker to modify, view, or destroy data and install additional programs and malware.

Detection, Defenses, and Mitigations with Adlumin

Adlumin allows security administrators to collect and query security-relevant logs from multiple sources, including network endpoints and process executions. Using this capability, we can develop a query to look for potential instances of exploitation of this vulnerability.

The exploitation of Follina / CVE-2022-30190 should create multiple recorded artifacts, which can be searched to see if the vulnerability has been used in a network. To query for these instances, we can search for endpoint process executions where the parent process is a Microsoft Office product and the child process launched by it is the process msdt.exe or sdiagnhost.exe.

Adlumin stores historical customer data to identify if this vulnerability was leveraged months before the exploit was publicly released. Searching the data set, Adlumin’s Threat Research team could not find any examples of exploitation among our customers.

Defenses

At the time of the vulnerability’s disclosure to the public, there was not, and still is no, official patch from Microsoft to address the vulnerability. Microsoft has come forward recommending disabling the MSDT URL protocol as potential mitigation to the vulnerability.

Disabling the MSDT URL Protocol

Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links through the operation system. The following steps will disable the MSDT URL protocol protecting systems from the Follina vulnerability:

  1. Run Command Prompt as Administrator
  2. Backup the registry key:
    • reg export HKEY_CLASSES_ROOT\ms-msdt backup
  3. Delete the following registry key:
    • reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Additionally, Microsoft recommends customers with Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission to help quickly identify and stop new unknown threats. Microsoft Defender for Endpoint customers can enable attack surface reduction by setting the rule for “Block All Office applications from creating child processes” (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a).

Continuous Monitoring

Adlumin recommends using a Continuous Vulnerability Management product to collect the needed data from endpoints to determine if they are running vulnerable versions of Microsoft Windows and Office. The Continuous Vulnerability Management software can also be used to identify those assets which have or do not have the official Microsoft mitigation in place.

Adlumin also recommends leveraging our managed security services product to continually search and alert for suspicious executions, which may result from the exploitation of the vulnerability.

Dive deeper into the Follina vulnerability – read Adlumin’s latest customer use case here.

References

Microsoft. (2022, May 30). Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. Security Update Guide – Microsoft Security Response Center. Retrieved June 6, 2022, from https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

Microsoft. (2022, May 30). Microsoft Security Response Center. Retrieved June 6, 2022, from https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/