On May 30, 2022, a critical vulnerability in Microsoft Office became known. This gap can be found under the synonym "Follina" and is referred to under CVE-2022-30190 listed. It is particularly critical that the attack complexity is classified as low. The vulnerability can therefore also be exploited by inexperienced attackers and lead to potentially high damage on the affected system.
The vulnerability uses the Microsoft Support Diagnostic Tool (MSDT) [https://docs.microsoft.com/de-de/windows-server/administration/windows-commands/msdt], with which diagnostic data is normally collected and sent to Microsoft . However, affected files reload malicious code or components via the Internet and execute them with the existing user rights on the system. This allows the attacker to gain full control over the system and the data available on it and manipulate them. Depending on whether there are other vulnerabilities, further attacks such as privilege escalation can occur.
The affected document contains an https URL that is downloaded. This executes Java Script code which in turn references a URL with a reference to an ms-msdt link. The tool described above is called with the parameters passed and loads malicious code. This is then called up and executed using Power Shell. What is particularly insidious is that these are not macros and the classic macro protection does not offer any help against this attack!
The following workaround is recommended until a patch is available.
The MSDT URL protocol used in the attack should be deactivated so that it is no longer possible for the links used to be called up and executed automatically.
1. Open command line as administrator
reg export HKEY_CLASSES_ROOT\ms-msdt filename
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
reg import filename
No negative effects on productivity are known to date, but appropriate trial and error testing should be done at this point as well.
Details are below Link a DAK Bungalow.
Furthermore, Microsoft recommends that users of "Microsoft Defender for Endpoint Security" activate the "BlockOfficeCreateProcessRule" rule, which prevents Office applications from creating sub-processes.
In addition, Microsoft Defender from build 1.367.719.0 or later detects such attacks via its signature files.
In addition, all employees can be informed and sensitized to be particularly vigilant when receiving Office files. The sender should be verified and the content of the file should be expected and known. If ways of raising awareness and informing employees are already known, this information should be distributed accordingly.
As soon as further information is available from Microsoft, in particular on patches or updates, we will inform you accordingly or deposit it on this website. The vulnerability has only recently become known, so that further attack scenarios can develop and further measures are necessary. Those affected should therefore follow further developments. In the event of changes, we will inform you on our website and continuously update the information on this advisory.
We use cookies, and Google reCAPTCHA, which loads Google Fonts and communicates with Google servers. By continuing to use our website, you agree to the use of cookies and our privacy policy.