A zero-day remote code execution (RCE) vulnerability named “Follina” (CVE-2022-30190) was found in the Microsoft Support Diagnostic Tool (MSDT), and was discovered to be exploited in the wild on the 25th of May, 2022.
This vulnerability leverages the MS-MSDT diagnostic program to execute arbitrary code, on behalf of the user. When this vulnerability is exploited, office applications such as word can execute malicious code, and further infect the host with minimal user interaction.
Unfortunately, this new technique can be successful even if the document is opened in Protected View. Moreover, if the file is an .rtf document, the malicious code can be executed from the file explorer’s preview pane, resulting in a zero click exploitation.
Since the official Microsoft patch has not been published yet, all versions of Microsoft Office are affected at the moment.
Possible mitigation actions include:
- Enabling Microsoft Defender Attack Surface Reduction (ASR) rules (if applicable), to “Block all Office applications from creating child processes” (Set to Block Mode).
- Consider disabling the MSDT URL Protocol via Windows Registry.
- Consider Turning off the Preview Pane via Group Policy.
References:
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
- https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
