University of Wisconsin–Madison

Cybersecurity Announcement: Microsoft “Follina” zero-day in the wild (CVE-2022-30190)

About the Event

A recently discovered zero-day vulnerability in all supported versions of Windows could allow an attacker to execute arbitrary code on affected machines. The flaw, dubbed “Follina”, exists due to improper validation of links containing the Microsoft Support Diagnostic Tool (MSDT) protocol handler. Although the vulnerability was only recently disclosed, it is currently being seen in the wild and is thought to have been actively exploited since at least mid-April.

Actions to Consider

Cybersecurity recommends following Microsoft’s guidance on disabling the MSDT protocol handler (see Microsoft’s blog below). Although this disables troubleshooters system-wide from being launched via links, users can still access troubleshooters using other means, as described in the blog.

We additionally recommend examining your systems for evidence of msdt.exe being launched with a parent process of WinWord.exe and for evidence of sdiagnhost.exe making outbound network connections.

Event Impact

The vulnerability could allow an attacker to execute arbitrary code on affected systems with the privileges of the calling application. Users would have to open or preview a Microsoft Word document containing the malicious MSDT link for the attack to be successful. While most endpoint protection software can detect the flaw at this point, it is still considered especially dangerous because exploit code is readily available, it has been in the wild for at least six weeks, and security researchers expect variations of the exploit to which endpoint protection applications may not readily adapt.

UW-Madison’s Office 365 instance is actively detecting and blocking attachments containing malicious MSDT links. In addition, Cisco has released an IOC detection for MSDT as of last night. Cybersecurity is also proactively seeking systems that may have been previously exploited.

References

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/

Cybersecurity author: Michael Ippolito, CISSP