Follina / CVE-2022-30190: New Microsoft Office zero-day

Security researchers have discovered a new Microsoft Office zero-day vulnerability that is being used in attacks to execute maliciously PowerShell commands via Microsoft Diagnostic Tool (MSDT) simply by opening a Word document.

Workarounds:

In Microsoft Defender’s Attack Surface Reduction (ASR) activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.
[https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-all-office-applications-from-creating-child-processes]

Disable the MSDT URL Protocol.

Be sure to make a backup of the registry settings before using this mitigation.
[https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/]

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability by MSRC

Reference:
https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/

Share