On 05/27/2022, security researchers from the group nao_sec warned about a vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).
The vulnerability, named “Follina”. CVE-2022-30190 , allows attackers to execute arbitrary Powershell commands and thus, for example, install ransomware or spy on data on target systems.
The vulnerability thus poses a significant risk to the IT security of the entire organization, as systems controlled by an attacker can spread malware within the organization’s network, for example.
The particular potential danger of the vulnerability lies in its relative simplicity. After downloading a suitably crafted Office document, loading the preview view in Windows Explorer activates the malicious code. Thus, the document does not need to be opened by the user, and the user interaction required to execute the malicious code is minimal. In security circles, the term “zero click exploit” is therefore used in connection with “Follina”.
The exploit does not target the known vulnerable implementation of VBA macros, but the “ms-msdt” proto coll.
This protocol is the basis for Windows-internal, automated error recovery and is therefore activated by default in all Microsoft Windows versions from Windows 7, as well as Windows Server versions from Windows Server 2008.
Originally, it was assumed that “Follina” could only be exploited in connection with certain Microsoft Office versions.
In recent days, however, there has been increasing evidence that the vulnerability can also be exploited independently of Microsoft Office applications.
Building on the research of the exploit by security experts John Hammond and @KevTheHermit , security researchers at KALWEIT ITS were able to verify two MS Office-independent attack vectors.
According to reports, current attack attempts nevertheless seem to rely primarily on manipulated Office documents as the primary mode of malicious code distribution.
The Twitter account operated by the security company proofpoint reported that Threat Insight on June 03, 2022, an email-based campaign targeting European and U.S. (local) governments. According to unconfirmed reports, attacks on Ukrainian authorities, as well as a campaign in the Oceanic region, also took place.
On 31.05.2022, the BSI responded with a Notification of the second highest warning level “3 / Orange” (“The IT threat situation is business-critical. Massive impairment of regular operations.”) to the incidents.
In Microsoft’s “Security Response Center” (MSRC) the Severity of the vulnerability ) is rated 7.8 out of 10. Microsoft also states that it is working on a security update.
As long as this has not yet appeared, the BSI and Microsoft both recommend disabling the MSDT URL protocol handler using registry keys:
This succeeds as follows:
- Run the command prompt with administrator privileges.
- Next, a backup of the registry key should be created. This way it can be restored after a security update (or in case of problems caused by deleting the key). This is done with the command:
reg export HKEY_CLASSES_ROOT\ms-msdt My_Filename
- Then the registry key is deleted with the following command:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f