Follina (CVE-2022-30190): a vulnerability in MSDT | Kaspersky official blog
Credit to Author: Editorial Team| Date: Tue, 31 May 2022 17:31:52 +0000
Researchers have discovered another serious vulnerability in Microsoft products that potentially allows attackers to execute arbitrary code. MITRE designated this vulnerability as CVE-2022-30190, while researchers somewhat poetically named it Follina. The most disturbing thing is that there is no fix for this bug yet. What’s even worse, the vulnerability is already being actively exploited by cybercriminals. While the update is under development, all Windows users and administrators are advised to use temporary workarounds.
What is CVE-2022-30190 and what products does it affect
The CVE-2022-30190 vulnerability is contained in the Microsoft Windows Support Diagnostic Tool (MSDT) which doesn’t sound like a big deal. Unfortunately, due to the implementation of this tool, the vulnerability can be exploited via a malicious office document.
MSDT is an application that is used to automatically collect diagnostic information and send it to Microsoft when something is going wrong with Windows. The tool can be called from another applications (Microsoft Word being the most popular example) through the special MSDT URL protocol. If the vulnerability is successfully exploited, an attacker is able to run arbitrary code with the privileges of the application that called the MSDT — that is, in this case, with the rights of the user who opened the malicious file.
Vulnerability CVE-2022-30190 can be exploited in all operating systems of the Windows family, both desktop and server.
How attackers exploit CVE-2022-30190
As a demonstration of the attack, the researchers describe the following scenario. Attackers create a malicious office document and slip it to the victim. The most common way to do this is to send an e-mail with a malicious attachment, spiced up with some classic social engineering ploy to convince the recipient to open the file. Something like “Urgently check the contract, signing tomorrow morning” can easily do the trick.
The infected file contains a link to an HTML file that contains JavaScript code that executes malicious code in the command line via MSDT. As a result of successful exploitation, the attackers can install programs, view, modify or destroy data, as well as create new accounts — that is, do everything that is possible with the victim’s privileges in the system.
How to stay safe
As mentioned at the beginning, there is no patch yet. To counteract, Microsoft recommends disabling the MSDT URL protocol. To do this, you need to run a command prompt with administrator rights and execute the command reg delete HKEY_CLASSES_ROOTms-msdt /f
. Before doing this, it would be useful to back up the registry by executing reg export HKEY_CLASSES_ROOTms-msdt filename
. This way you can quickly restore the registry with the reg import filename
command as soon as this workaround is no longer needed,
Of course, this is only a temporary measure and you should install an update that closes the Follina vulnerability as soon as it becomes available.
The described methods of exploiting this vulnerability involve the use of e-mails with malicious attachments and social engineering methods. Therefore we recommend to be even more careful than usual with e-mails from unknown senders, especially with attached MS Office documents. For companies it makes sense to regularly raise employee awareness about most relevant hackers’ tricks.
In addition, all devices with an Internet access should be equipped with robust security solutions. Even when someone is exploiting an unknown vulnerability, such solutions can prevent malicious code from running on a user’s machine.