Follina Zero-Day Exploit Allows Attackers to Execute Remote Code
On May 27, 2022, an independent research company reported a Microsoft Office zero-day vulnerability called CVE-2022-30190, also known as “Follina.” The threat has raised alarms across the industry because an official patch has yet to be released, and the risk posed by the exploit can be dire. It can enable attackers to execute codes remotely, allowing them to gain full system control of affected systems.
At ITS, we’re committed to helping businesses keep watch of emerging cyber threats, understand them and uncover ways to protect against them. In this article, we’ll learn more about how the vulnerability works, how it can be abused, and how you can temporarily protect against it while waiting for the official patch.
How Does the Follina Vulnerability Work?
The Follina vulnerability can easily be triggered via phishing emails that contain malicious .DOC files or a link leading to it. Once a target receives and clicks the said file or link, Windows will open it using the Microsoft Support Diagnostic Tool (MSDT), which will automatically run the code contained in the provided link. Once triggered, the executed code can help an attacker facilitate further compromise or take full control of the affected system.
How Dangerous is Follina?
According to security experts studying the zero-day exploit, what makes the Follina vulnerability stand out from the rest is that it doesn’t rely on Office Macros. A Macro is a series of commands that allow you to automate certain tasks. Unfortunately, that presents some security concerns. Typically, bad actors will send macros to end-users, tricking them into running automated tasks that will compromise their devices.
In this case, however, the malicious codes can still be executed even when your environment has macros disabled entirely. All that’s required for the exploit to trigger is for a user to open and view a malicious Word document or preview it using the Windows Explorer Preview Pane.
In addition, while most of the recorded cases of this vulnerability being exploited in the wild have leveraged on Microsoft Word and Outlook, theoretically, any Office product which handles oleObject relationships is vulnerable.
How to Protect Against Follina?
While Microsoft is still scrambling to patch Follina, they have released guidance as to how you can defend against it. Check out some of their suggestions below:
Disabling the MSDT URL Protocol
Disabling the MSDT URL protocol prevents troubleshooters from being launched as links. That can help stop the code from executing, halting the attack in its tracks. You can still access troubleshooters, however, using the Get Help application and in-system settings.
Follow these steps to disable:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
Microsoft Defender Detections & Protections
If you have Microsoft Defender Antivirus, consider turning on cloud-delivered protection and automatic sample submission. Those capabilities utilize artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Users with Microsoft Defender for Endpoint can also enable the attack surface reduction rule “Block all Office applications from creating child processes” GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy.
In addition, Microsoft Defender Antivirus offers protections for possible vulnerability exploitation under the following signatures using detection build 1.367.851.0 or higher:
- Trojan:Win32/Mesdetty.A (blocks msdt command line)
- Trojan:Win32/Mesdetty.B (blocks msdt command line)
- Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
- Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
- Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)
On the other hand, Microsoft Defender for Endpoint provides users with detections and alerts. You can find these alerts through your Microsoft 365 Defender portal. Notifications with the following titles can indicate threat activity on your network:
- Suspicious behavior by an Office application
- Suspicious behavior by Msdt.exe
Protect Your Network from Emerging Threats
Microsoft may have released some workarounds to deal with the Follina vulnerability; however, you must remain vigilant. Until an official patch is released, it would be best to assume that you are currently exposed to this new zero-day exploit. All you can do now is to keep your guard up, empower your team with the right information, and practice good cyber hygiene.
At ITS, we’ve helped hundreds of businesses protect against all kinds of cyber threats. From our experience, the best weapon to defend against them is by arming yourself with the right information. Learn how you can regain peace of mind amidst rising cyber threats.