Follina: office documents as an entrance

New vulnerability CVE-2022-30190, aka Follina, allows exploitation of Windows Support Diagnostic Tool via MS Office files.

CVE-2022-30190 aka Follina, a recently found vulnerability in the Windows Support Diagnostic Tool (MSDT), can be exploited via office documents.
Updated on June 15, 2022: Microsoft fixed Follina vulnerability in June’s Patch Tuesday cumulative update. It’s recommended for all Windows users to make sure that patch for CVE-2022-30190 is installed.

Researchers have discovered another serious vulnerability in Microsoft products that potentially allows attackers to execute arbitrary code. MITRE designated this vulnerability as CVE-2022-30190, while researchers somewhat poetically named it Follina. The most disturbing thing is that there’s no fix for this bug yet. What’s even worse, the vulnerability is already being actively exploited by cybercriminals. While the update is under development, all Windows users and administrators are advised to use temporary workarounds.

What is CVE-2022-30190, and what products does it affect?

The CVE-2022-30190 vulnerability is contained in the Microsoft Windows Support Diagnostic Tool (MSDT), which doesn’t sound like a big deal. Unfortunately, due to the implementation of this tool, the vulnerability can be exploited via a malicious MS Office document.

MSDT is an application that is used to automatically collect diagnostic information and send it to Microsoft when something goes wrong with Windows. The tool can be called up from other applications (Microsoft Word being the most popular example) through the special MSDT URL protocol. If the vulnerability is successfully exploited, an attacker can run arbitrary code with the privileges of the application that called up the MSDT — that is, in this case, with the rights of the user who opened the malicious file.

The CVE-2022-30190 vulnerability can be exploited in all operating systems of the Windows family, both desktop and server.

How attackers exploit CVE-2022-30190

As a demonstration of an attack, the researchers who discovered it describe the following scenario. Attackers create a malicious MS Office document and somehow get it to the victim. The most common way to do this is to send an e-mail with a malicious attachment, spiced up with some classic social engineering ploy to convince the recipient to open the file. Something like “Urgently check the contract, signing tomorrow morning” can do the trick.

The infected file contains a link to an HTML file that contains JavaScript code that executes malicious code in the command line via MSDT. As a result of successful exploitation, the attackers can install programs, view, modify or destroy data, as well as create new accounts — that is, do anything that’s possible armed with the victim’s privileges in the system.

How to stay safe

As mentioned above, there’s no patch yet. In the meantime, Microsoft recommends disabling the MSDT URL protocol. To do this, you need to run a command prompt with administrator rights and execute the command reg delete HKEY_CLASSES_ROOTms-msdt /f. Before doing this, it’s a good idea to back up the registry by executing reg export HKEY_CLASSES_ROOTms-msdt filename. This way you can quickly restore the registry with the reg import filename command as soon as this workaround is no longer needed.

Of course, this is only a temporary measure, and you should install an update that closes the Follina vulnerability as soon as it becomes available.

Kaspersky security solutions successfully detect CVE-2022-30190 exploitation attempts. You can find more technical details in the Securelist post.

The described methods of exploiting this vulnerability involve the use of e-mails with malicious attachments and social engineering methods. Therefore, we recommend being even more careful than usual with e-mails from unknown senders — especially with attached MS Office documents. For companies, it makes sense to regularly raise employee awareness about the most relevant hacker tricks.

In addition, all devices with internet access should be equipped with robust security solutions. Even when someone is exploiting an unknown vulnerability, such solutions can prevent malicious code from running on a user’s machine.