Microsoft shared workarounds for the Microsoft Office zero-day dubbed Follina

Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina, in the Microsoft Office productivity suite.

Microsoft has released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as CVE-2022-30190 (CVSS score 7.8), in the Microsoft Office productivity suite.

“On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.” reads the advisory published by Microsoft. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

This week, the cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.

The popular cybersecurity expert Kevin Beaumont, who named the bug Follina, published an analysis of the flaw.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”

The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.

Microsoft has now published a “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.”

Microsoft recommends disabling the MSDT URL Protocol as workarounds, below are the instructions included in the guidance:

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg import filename”

Microsoft credited crazyman with Shadow Chaser Group, the tech giant labeled the flaw as “fixed” on April 21, 2022, and dismissed the vulnerability as “not a security issue” because the diagnostic tool requires a passkey for its execution.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Office)

[adrotate banner=”5″]

[adrotate banner=”13″]