On May 27, 2022, security researchers from the nao_sec group warned of a vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).
The vulnerability CVE-2022-30190, named “Follina”, allows attackers to execute arbitrary Powershell commands and thus, for example, install ransomware or spy on data on the target systems.
The vulnerability therefore poses a significant risk to the IT security of the entire organization, as systems controlled by an attacker can spread malware within the organization’s network, for example.
The particular potential danger of the vulnerability lies in its relative simplicity. After a suitably prepared Office document has been downloaded, loading the preview view in Windows Explorer activates the malicious code. The document therefore does not need to be opened by the user, and the user interaction required to execute the malicious code is minimal. In security circles, “Follina” is therefore referred to as a “zero click exploit”.
The exploit does not target the notoriously vulnerable implementation of VBA macros, but rather the “ms-msdt” protocol.
This protocol is the basis for Windows-internal, automated troubleshooting and is therefore activated by default in all Microsoft Windows versions from Windows 7 and Windows Server versions from Windows Server 2008.
It was originally assumed that “Follina” could only be exploited in conjunction with certain Microsoft Office versions.
In recent days, however, there have been increasing indications that the vulnerability can also be exploited independently of Microsoft Office applications.
Building on research into the exploit by security experts John Hammond and @KevTheHermit, security researchers at KALWEIT ITS were able to verify two MS Office-independent attack vectors.
However, according to reports, current attack attempts seem to rely primarily on manipulated Office documents as the primary mode of malicious code distribution.
The Twitter account Threat Insight, operated by the security company proofpoint, reported an email-based campaign targeting European and US (local) administrations on June 3, 2022. According to unconfirmed reports, there were also attacks on Ukrainian authorities and a campaign in the Oceanic region.
On 31.05.2022, the BSI responded with a message at the second-highest warning level “3 / Orange” (“The IT threat situation is business-critical. Massive impairment of regular operations.”) to the incidents.
In Microsoft’s “Security Response Center” (MSRC), the severity of the vulnerability is rated 7.8 out of 10, and Microsoft also states that it is working on a security update.
As long as this has not yet appeared, the BSI and Microsoft both recommend deactivating the MSDT URL protocol handler using registry keys:
This is achieved as follows:
- Run the command prompt with administrator rights.
- Next, a backup of the registry key should be created. This allows it to be restored after a security update (or if problems occur due to the deletion of the key). This is done with the command:
reg export HKEY_CLASSES_ROOT\ms-msdt My_filename
- The registry key is then deleted with the following command:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f