Mitigating the Follina Zero-Day Vulnerability
On May 27th, 2022, a new zero-day remote code execution (RCE) vulnerability was discovered in the Microsoft Support Diagnostic Tool (MSDT). This CVE-2022-30190P vulnerability allows an attacker to run arbitrary code with the same privileges as the application that is calling it. This means that the attacker could install programs, view or change data, delete data, or create new accounts on the system with full user rights.
The Follina vulnerability is a serious security flaw that can be exploited by attackers to execute arbitrary code on a victim's computer. This vulnerability leverages the built-in MS URL handlers to trigger msdt.exe – this process can then be used to execute PowerShell commands.
What is MSDT?
The Microsoft Support Diagnostic Tool (MSDT) is a troubleshooting and diagnostic tool that is built into the Windows operating system. MSDT can be used to invoke a troubleshooting pack at the command line or as part of an automated script, and it enables additional options without requiring user input. MSDT is designed to help identify and resolve technical issues with Microsoft products and services. In some cases, MSDT may also provide Microsoft support personnel with additional information about an issue.
To use MSDT, simply open the Windows Control Panel and click on “System and Security.” Then, click on “Diagnose Your Computer’s Problems.” From here, you will be able to select the type of issue you are experiencing and follow the prompts to resolve the issue.
What are URL Handlers?
When an application is installed on Windows, it can register a URL to launch the application with a custom link.
Windows has many default URL handlers for applications built into the operating system, including one for msdt.exe - ms-msdt:/.
How is CVE 2022-30190 being exploited?
Follina is a recently discovered malware that targets Microsoft Office products. The primary method of exploiting Follina is via phishing emails that contain malicious Office documents. These documents often contain links to external servers that host files with the ms-msdt:/ URL.
When opened, these files will infect the victim's computer with the Follina malware. Once infected, the victim's computer can be used to carry out Distributed Denial of Service (DDoS) attacks or to mine cryptocurrency. The consequences of a Follina infection can be serious, so it is important to be aware of this threat and take steps to protect yourself from it.
Microsoft has released critical fixes for an actively exploited Windows zero-day vulnerability as part of its monthly Patch Tuesday security updates.
Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser.
As always, Microsoft recommends that users install the updates as soon as possible to keep their systems protected. The company also revealed that there are no known exploits actively targeting any of the vulnerabilities at this time.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including -
Atlassian Confluence Server and Data Center
Linux distributions Debain, Oracle Linux, Red Hat, SUSE, and Ubuntu
Mozilla Firefox, Firefox ESR, and Thunderbird