Microsoft Office Remote Code Execution Vulnerability aka Follina

08 Jun / 2022

Cyber Security

CVE: CVE-2022-30190

What Is Vulnerable?

Windows Office 2013 and later, including the latest patches for Office 2021

What’s Happening?

Microsoft Office is the latest victim to a remote code execution vulnerability which was publicly disclosed by Microsoft on the 31st of May. Nicknamed Follina, this vulnerability is actively being used against Australian organisations by threat actors, according to the ACSC.

How It Works

This vulnerability harnesses Microsoft Support Diagnostic Tool (MSDT) and a malicious URL baked into a word document. When the URL is clicked HTML will download from a webserver and execute arbitrary PowerShell code using the ms-msdt protocol. There are 3 key factors that cause Follina to be troubling to security researchers.

  • Remote code execution vulnerabilities in the Office suite often see a high volume of exploitation due to its ubiquity of use.
  • Pre-existing Office hardening, like removing the use of macros, is ineffective. There is also evidence to suggest that this bypasses the Protected View feature does not detect that the document is malicious when the document is in Rich Text Format (.rtf).
  • It is a one-click vulnerability. Meaning that an affected user only clicks a URL for the attack to function.
     
    What You Can Do

    Update June 8th
    For Cythera managed clients that utilize EndpointPatch Automox, we have created a worklet to remediate the Follina vulnerability whilst waiting for Microsoft to release a patch. The worklet functions by evaluating if any given host has the vulnerable key present within Windows registry, and if so backs it up to a directory of your choosing and deletes the affected key from Windows registry. This worklet can be applied to groups of hosts, and can run on a schedule, ensuring complete coverage and protection of enterprise environments.

As of the 1st of June, there are no official patches available for vulnerable versions of Office products. There is however a simple fix to remediate against this in the interim. The MSDT URI can be disabled via a registry edit in CMD or Group Policy.
 

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt-backup “
  • Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
  • Alternatively, delete the HKEY_CLASSES_ROOT\ms-msdt registry key via group policy.

Cythera continues to monitor all managed clients and detection capabilities we have in place will likely detect any post-exploitation activities related to this vulnerability.

Resources

You may be interested in

The Ugly Side of ISO 27001 Compliance. What Happens if You Get it Wrong?

We’re going to be candid and frank here. ISO 27001 audits, and any cybersecurity compliance audits at all, can be hard to achieve and stressfu…

Read More arrow_forward

3 Security Threats Today’s Technologies Struggle To Protect You From

Why you need a comprehensive Managed Detection and Response (MDR) service now more than ever.As the security industry adapts to match the ever-e…

Read More arrow_forward

The 15 most important cybersecurity topics that every CEO needs to know in 2023.

With the New Year on its way, a number of Australian organisations are reflecting on the past year and wondering what they can be doing to impro…

Read More arrow_forward