Microsoft has shared mitigation measures to block attacks exploiting CVE-2022-30190, a new remote code execution zero-day in the Microsoft Windows Support Diagnostic Tool. This vulnerability, dubbed Follina, has been seen in the wild in the form of a malicious Word document that uses the MS-MSDT URI protocol scheme to load and execute additional code.
The sample analyzed using this technique uses Microsoft Word’s remote template feature to first fetch an HTML file from a remote server. This HTML code then uses the MS-MSDT URI protocol scheme to load additional code and execute PowerShell commands. Since the remote template feature is used, the initial Microsoft Word document likely bypasses most security controls, as it does not contain malicious code itself and only references a remote template. While the Protected View feature in Microsoft Office will display a warning to users of the possibility of a malicious document using this technique, this can be bypassed by changing the document to a Rich Text Format (RTF) file. This would allow the code to execute by either opening or simply previewing the document in Explorer.
Microsoft has released guidance on how to mitigate this vulnerability while a patch is being worked on. This guidance includes deleting a specific Registry key that will disable the MSDT URI protocol on a Windows device. Microsoft Defender Antivirus 1.367.719.0 also comes with signatures that can help detect exploitation of this vulnerability.