Microsoft Zero Day Vulnerability/Exploit Follina Found
A Zero-Day Vulnerability/Exploit “Follina” has been found in Microsoft Office and Microsoft Windows OS Versions Windows Seven on up, and Windows Server 2008 and above platforms.
Basically, the Remote Code Execution flaw is in Microsoft Windows Support Diagnostic Tool (MWSDT).
The Vulnerability/Exploit can be followed by accessing the CVE database for CVE-2022-30190
- Follina CVE-2022-30190
The Vulnerability was found in April by the Shadow Chaser Groups Crazyman. Microsoft initially tagged the vulnerability as not a “Security Related Issue.” Later on Microsoft closed the vulnerability report and tagged it as a Remote Code Execution Impact.
Now it turns out the Chinese State Sponsored Hacking Group TA413 has been using the Vulnerability/Exploit against the Tibetan Community.
If I were a betting man and I am not, I would guess that the Vulnerability/Exploit has been used in other unknown attack scenario’s.
CVE-2022-30190 Follina exploits with malicious code via MWSDT protocol when Word documents are delivered as a .zip file and then previewed before opening.
Remediation
Microsoft said “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Bleeping Computer said “To Block attacks exploiting CVE-2022-30190 Disable the MSDT URL protocol malicious actors abuse to launch troubleshooters and execute code on vulnerable systems. To disable the MSDT URL protocol on a Windows device, you must go through the following procedure:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt.reg“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f“
After Microsoft releases a CVE-2022-30190 patch, you can undo the workaround by launching an elevated command prompt and executing the reg import ms-msdt.reg command (filename is the name of the registry backup created when disabling the protocol).
Microsoft Defender Antivirus 1.367.719.0 or newer now also comes with detections for possible vulnerability exploitation under the following signatures:
- Trojan:Win32/Mesdetty.A
- Trojan:Win32/Mesdetty.B
- Behavior:Win32/MesdettyLaunch.A
- Behavior:Win32/MesdettyLaunch.B
- Behavior:Win32/MesdettyLaunch.C
While Microsoft says that Microsoft Office’s Protected View and Application Guard would block CVE-2022-30190 attacks, CERT/CC vulnerability analyst Will Dormann and other researchers found that the security feature will not block exploit attempts if the target previews the malicious documents in Windows Explorer.
“Today CISA urged admins and users to disable the MSDT protocol on their Windows devices after Microsoft reported active exploitation of this vulnerability in the wild.”
1