[0-day][Officially fixed] Microsoft Windows MSDT URI Handler Vulnerability aka "Follina" / CVE-2022-30190
-
A 0-day in Microsoft Office / 365 Apps has been reported on Twitter and news sites.
The vulnerability and attack has been analysed and verified, it has been dubbed "Follina".
The problem lies in the handling of MSDT URI's, MSDT is a diagnostics tool.
There is currently no official solution to this vulnerability.
Users should be cautious when opening Office documents and if possible, avoid opening documents from untrusted sources.
It has been reported that deleting the MS-MSDT URI handler will prevent exploitation of this vulnerability.
Before deleting the URI handler, you can make a backup of the registry data like this:
reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt-backup.regAnd delete the URI handler like this:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
(/f forces deletion of the entry in case you want to script this, else you'll be prompted to delete it)And to restore it, simply do:
reg import ms-msdt-backup.regYou can find more details about the attack and vulnerability in this report:
https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bugOther interesting sources:
https://twitter.com/CrazymanArmy/status/1531117401181671430
https://twitter.com/nao_sec/status/1530196847679401984
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e(30th May 2022: Updated with an extra link to Twitter and an article by Kevin Beaumont)
-
T Tom moved this topic from [Custom Software guide drafts] on
-
Microsoft has officially responded to the MSDT 0-day and confirmed it:
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190It has been assigned CVE-2022-30190.
It seems clear that Microsoft's stance is that this isn't an Office / 365 Apps issue, but rather a Windows vulnerability.
This doesn't change the fact, that Office and MS 365 Apps is the current known vector.
Microsoft also recommends disabling the MSDT URI handler:
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/Disabling this URI handler should be safe, it is rarely used. But as always, keep a backup, in case you have some third-party software that relies on this.
We will review this and may change the affected products later, but this may not happen until Microsoft releases an official fix.
-
T Tom locked this topic on
-
Microsoft has issued official fixes for the 0-day CVE-2022-30190 / Follina:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190As expected, Microsoft has classified it as a Windows vulnerability.
You can see affected systems here:
https://corporate.vulndetect.com/#/applications/versions?channelTag=microsoft.windows.endrule&status=insecure&title=Microsoft WindowsNote that it requires a recent inspection, hosts that haven't inspected since 14-06-2022 20:00 CET will not report the missing KB update.
-
O OLLI_S referenced this topic on