Microsoft has shared mitigation measures to block attacks exploiting CVE-2022-30190, a new remote code execution zero-day in the Microsoft Windows Support Diagnostic Tool. This vulnerability, dubbed Follina, has been seen in the wild in the form of a malicious Word document that uses the MS-MSDT URI protocol scheme to load and execute additional code.
The sample analyzed using this technique uses Microsoft Word’s remote template feature to first fetch an HTML file from a remote server. This HTML code then uses the MS-MSDT URI protocol scheme to load additional code and execute PowerShell commands. Since the remote template feature is used, the initial Microsoft Word document likely bypasses most security controls, as it does not contain malicious code itself and only references a remote template. While the Protected View feature in Microsoft Office will display a warning to users of the possibility of a malicious document using this technique, this can be bypassed by changing the document to a Rich Text Format (RTF) file. This would allow the code to execute by either opening or simply previewing the document in Explorer.
Microsoft has released guidance on how to mitigate this vulnerability while a patch is being worked on. This guidance includes deleting a specific Registry key that will disable the MSDT URI protocol on a Windows device. Microsoft Defender Antivirus 1.367.719.0 also comes with signatures that can help detect exploitation of this vulnerability.
Analyst Notes
It is highly recommended to execute Microsoft’s mitigation guidance on all systems in an organization as soon as possible to help prevent exploitation of this critical vulnerability. Specifically, the mitigation guidance recommends deleting the following Registry key after first creating a backup of it:
HKEY_CLASSES_ROOTms-msdt
This recommendation can be performed via Group Policy to mitigate all systems at once or using a command like reg.exe manually on systems. Likewise, the exploitation of this vulnerability involves the process msdt.exe being executed, which can be alerted upon. Abnormal msdt.exe behavior or behavior like a Microsoft Office application spawning an msdt.exe process can help make detections of this vulnerability being exploited feasible. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs. Finally, while Microsoft is still working on a patch for this vulnerability, it is highly recommended to install the patch on all systems as soon as possible after they release one.
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/
https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
