Updated: Zero-Day "Follina" Vulnerability in MS Office Products

Update (6/1/22): Over the weekend, security research team Nao_Sec released details on Twitter regarding a possible zero-day vulnerability in Microsoft Office products for Windows. Three days later, on May 30, Microsoft acknowledged the vulnerability and released temporary remediation guidance for CVE-2022-30190.

What is CVE-2022-30190?

CVE-2022-30190, now dubbed “Follina,” is a flaw in the Microsoft Support Diagnostic Tool (MSDT) that allows for remote code execution (RCE) when MSDT is called using the URL protocol from an application such as Word. Microsoft is currently scoring the vulnerability as a CVSSv3.1 7.8/10.

When exploited, Microsoft notes that the attacker can run arbitrary code with the privileges of the calling application, and then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Why is the Follina vulnerability severe?

Follina is a simple exploit that would require some user interaction to execute – for example, a social engineering campaign to persuade victims to open a malicious file with Microsoft Office on their Windows device.

Microsoft Office products have been a popular attack vector for social engineering campaigns, though historically attacks require macros to be enabled to be successful. Follina does not require macros to be enabled for successful exploitation.

Am I safe from Follina if I have macros disabled?

Not necessarily. The Follina vulnerability executes the code via MSDT, so the code will run even if macros are disabled. However, Microsoft Office documents opened in Protected View or Application Guard will present the attack.

Head of Security Operations Centre at Arcadia Group Ltd. Kevin Beaumont notes that .RTF files previewed in Explorer are still dangerous, as Protected view becomes irrelevant.

That said, if you regularly baseline your environment for anomalous process executions, it’s likely you may have detected an attack since projects like LOLBAS have documented the MSDT binary since 2018. If you’re using Endpoint Detection and Response (EDR) tools and/or Applocker policies, you should be more equipped to detect or block potential attacks than organizations that don’t.

Which systems are vulnerable to Follina?

Most Windows systems are vulnerable if they have Office products. Below is the full list of vulnerable systems:

  • Windows Server 2012 R2 (Server Core installation)

  • Windows Server 2012 R2

  • Windows Server 2012 (Server Core installation)

  • Windows Server 2012

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

  • Windows Server 2008 for x64-based Systems Service Pack 2

  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

  • Windows Server 2008 for 32-bit Systems Service Pack 2

  • Windows RT 8.1

  • Windows 8.1 for x64-based systems

  • Windows 8.1 for 32-bit systems

  • Windows 7 for x64-based Systems Service Pack 1

  • Windows 7 for 32-bit Systems Service Pack 1

  • Windows Server 2016 (Server Core installation)

  • Windows Server 2016

  • Windows 10 Version 1607 for x64-based Systems

  • Windows 10 Version 1607 for 32-bit Systems

  • Windows 10 for x64-based Systems

  • Windows 10 for 32-bit Systems

  • Windows 10 Version 21H2 for x64-based Systems

  • Windows 10 Version 21H2 for ARM64-based Systems

  • Windows 10 Version 21H2 for 32-bit Systems

  • Windows 11 for ARM64-based Systems

  • Windows 11 for x64-based Systems

  • Windows Server, version 20H2 (Server Core Installation)

  • Windows 10 Version 20H2 for ARM64-based Systems

  • Windows 10 Version 20H2 for 32-bit Systems

  • Windows 10 Version 20H2 for x64-based Systems

  • Windows Server 2022 Azure Edition Core Hotpatch

  • Windows Server 2022 (Server Core installation)

  • Windows Server 2022

  • Windows 10 Version 21H1 for 32-bit Systems

  • Windows 10 Version 21H1 for ARM64-based Systems

  • Windows 10 Version 21H1 for x64-based Systems

  • Windows Server 2019 (Server Core installation)

  • Windows Server 2019

  • Windows 10 Version 1809 for ARM64-based Systems

  • Windows 10 Version 1809 for x64-based Systems

  • Windows 10 Version 1809 for 32-bit Systems

Is there a patch for Follina? What are the recommended workarounds?

No patch has been released yet. Microsoft has released a temporary workaround which we recommend applying in the interim until patches are released.

The Automox team has created Powershell scripts you can use in a Worklet to apply the temporary workaround to your Windows estate. These are based on the recommended workaround steps from Microsoft.

Worklet Evaluation Code to Remove Registry Key:

#################################################

################ BEGIN MAIN CODE ################

#################################################

# Mount HKey_Classes_Root as drive

New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null

# Tests for HKCR:\ms-msdt

if(Test-Path -Path "HKCR:\ms-msdt")

{

# Key found triggering remediation

Remove-PSDrive HKCR

Exit 1

}

# Key not found, no remediation needed

Remove-PSDrive HKCR

Exit 0

Worklet Remediation Code to Remove Registry Key:

# Variable used to specify export location of regkey. Directory will be created if not present

$regExportdir = "C:\regExport"

#################################################

################ BEGIN MAIN CODE ################

#################################################

# Mount HKey_Classes_Root as drive

New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null

# Tests for HKCR:\ms-msdt

if(Test-Path -Path "HKCR:\ms-msdt")

{

# Detect if export dir exists and creates if needed

if(!(Test-Path $regExportdir))

{

New-Item -Path $regExportdir -ItemType Directory | Out-Null

}

# Create arguments for Reg

$regArgs = 'export HKCR\ms-msdt ' + "$regExportdir" + '\ms-msdt.reg /y'

# Exports HKCR:\ms-msdt to the $regExportdir

Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "$regArgs" -Wait

# Deletes HKCR:\ms-cxh"

Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "delete HKCR\ms-msdt /f" -Wait

# Validation

if(Test-Path -Path "HKCR:\ms-msdt")

{

Write-Output "Failed to delete registry key"

Remove-PSDrive HKCR

exit 5

}

Write-Output "Successfully Exported Key to $regExportdir"

Remove-PSDrive HKCR

Exit 0

}

Write-Output "ms-msdt key is not present on this device"

Remove-PSDrive HKCR

Exit 0

Once patches have been released and you’ve applied them, you can undo the workaround with the following Worklet:

Worklet Evaluation Code to Import/Add Registry Key:

#################################################

################ BEGIN MAIN CODE ################

#################################################

# Mount HKey_Classes_Root as drive

New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null

# Tests for HKCR:\ms-msdt

if(!(Test-Path -Path "HKCR:\ms-msdt"))

{

# Key not found triggering remediation

Remove-PSDrive HKCR

Exit 1

}

# Key found, no remediation needed

Remove-PSDrive HKCR

Exit 0

Worklet Remediation Code to Import/Add Registry Key:

# Variable used to specify previous export location of regkey. Script will cancel if not present

$regExportdir = "C:\regExport"

#################################################

################ BEGIN MAIN CODE ################

#################################################

# Mount HKey_Classes_Root as drive

New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null

# Tests for HKCR:\ms-msdt

if(!(Test-Path -Path "HKCR:\ms-msdt"))

{

# Detect if export dir exists and creates if needed

if(!(Test-Path "$regExportdir\ms-msdt.reg"))

{

Write-Output "Exported regkey is not present. Cancelling..."

Exit 0

}

# Create arguments for Reg

$regArgs = 'import ' + "$regExportdir" + '\ms-msdt.reg'

# Import ms-msdt.reg to the $regExportdir

Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "$regArgs" -Wait

# Validation

if(!(Test-Path -Path "HKCR:\ms-msdt"))

{

Write-Output "Failed to import registry key"

Remove-PSDrive HKCR

exit 5

}

Write-Output "Successfully imported Key."

Remove-PSDrive HKCR

Exit 0

}

Write-Output "Key is already present on this device"

Remove-PSDrive HKCR

Exit 0


Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic

loading...