May 31 2022

Microsoft shared workarounds for the Microsoft Office zero-day dubbed Follina

Category: Zero dayDISC @ 8:21 am

Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina, in the Microsoft Office productivity suite.

Microsoft has released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as 

 (CVSS score 7.8), in the Microsoft Office productivity suite.

“On Monday May 30, 2022, Microsoft issued 

 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.” reads the advisory published by Microsoft. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

This week, the cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.

The popular cybersecurity expert Kevin Beaumont, who named the bug Follina, published an analysis of the flaw.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”

The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.

Microsoft has now published a “Guidance for 

 Microsoft Support Diagnostic Tool Vulnerability.”

Microsoft recommends disabling the MSDT URL Protocol as workarounds, below are the instructions included in the guidance:

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg import filename” 

Microsoft credited crazyman with Shadow Chaser Group, the tech giant labeled the flaw as “fixed” on April 21, 2022, and dismissed the vulnerability as “not a security issue” because the diagnostic tool requires a passkey for its execution.

Microsoft Office CVE-2022-30190 zero-day

Beginning Security with Microsoft Technologies: Protecting Office 365, Devices, and Data

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: Microsoft, Microsoft Office zero-day