Follina is a vulnerability in the Microsoft Diagnostic Tool (MSDT) ‘ms-msdt:’ URI that allows a threat actor to embed a link in Microsoft Word documents that could call out to a malicious file server, resulting in code execution by the threat actor.
Researchers at Proofpoint observed Follina being exploited in the wild by the Chinese TA413 hacking group targeting Tibet, and another state-aligned threat group targeting US and EU government agencies. More recently, these researchers also found this vulnerability being used to infect victims with Qbot malware.
Microsoft has released security updates with the June 2022 cumulative Windows Updates to address this vulnerability.
Analyst Notes
Microsoft, the Cybersecurity and Infrastructure Security Agency (CISA), and Binary Defense strongly recommend applying the June 2022 cumulative Windows Update. Systems that are configured for automatic updates should not require manual interaction.
If updating Windows is not possible, it is still recommended to disable the MSDT protocol in the registry.
To do so, open an administrator command prompt or PowerShell and execute the following:
First, backup the MSDT protocol key:
• reg export HKCRms-msdt D:Backupmsdt.reg
Then, remove the MSDT protocol key:
• reg delete HKCRms-msdt
To restore the key later, run the following:
• reg import D:backupmsdt.reg
https://www.bleepingcomputer.com/news/security/microsoft-patches-actively-exploited-follina-windows-zero-day/
https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability
