Update (8/5/22): Microsoft Office released patches for the Follina vulnerability CVE-2022-30190 with the June 2022 Windows Security Update.
Refer to the following security updates to close the vulnerability:
KB5014678: Windows Server 2022
KB5014697: Windows 11
KB5014699: Windows 10 Version 20H2 – 21H2, Windows Server 20H2
KB5014692: Windows 10 Version 1809 (IoT), Windows Server 2019
KB5014702: Windows 10 1607 (LTSC), Windows Server 2016
KB5014710: Windows 10 1507 (RTM, LTSC)
KB5014738: Monthly Rollup Windows Server 2012 R2, Windows RT 8.1, Windows 8.1
KB5014746: Security only Windows Server 2012 R2, Windows RT 8.1, Windows 8.1
KB5014747: Monthly Rollup Windows Server 2012
KB5014741: Security only Windows Server 2012
KB5014748: Monthly Rollup Windows Server 2008 R2, Windows 7 SP1
KB5014742: Security only Windows Server 2008 R2, Windows 7 SP1
Update (6/1/22): Over the weekend, security research team Nao_Sec released details on Twitter regarding a possible zero-day vulnerability in Microsoft Office products for Windows. Three days later, on May 30, Microsoft acknowledged the vulnerability and released temporary remediation guidance for CVE-2022-30190.
What is CVE-2022-30190?
CVE-2022-30190, now dubbed “Follina,” is a flaw in the Microsoft Support Diagnostic Tool (MSDT) that allows for remote code execution (RCE) when MSDT is called using the URL protocol from an application such as Word. Microsoft is currently scoring the vulnerability as a CVSSv3.1 7.8/10.
When exploited, Microsoft notes that the attacker can run arbitrary code with the privileges of the calling application, and then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Why is the Follina vulnerability severe?
Follina is a simple exploit that would require some user interaction to execute – for example, a social engineering campaign to persuade victims to open a malicious file with Microsoft Office on their Windows device.
Microsoft Office products have been a popular attack vector for social engineering campaigns, though historically attacks require macros to be enabled to be successful. Follina does not require macros to be enabled for successful exploitation.
Am I safe from Follina if I have macros disabled?
Not necessarily. The Follina vulnerability executes the code via MSDT, so the code will run even if macros are disabled. However, Microsoft Office documents opened in Protected View or Application Guard will present the attack.
Head of Security Operations Centre at Arcadia Group Ltd. Kevin Beaumont notes that .RTF files previewed in Explorer are still dangerous, as Protected view becomes irrelevant.
That said, if you regularly baseline your environment for anomalous process executions, it’s likely you may have detected an attack since projects like LOLBAS have documented the MSDT binary since 2018. If you’re using Endpoint Detection and Response (EDR) tools and/or Applocker policies, you should be more equipped to detect or block potential attacks than organizations that don’t.
Which systems are vulnerable to Follina?
Most Windows systems are vulnerable if they have Office products. Below is the full list of vulnerable systems:
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2022 Azure Edition Core Hotpatch
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Is there a patch for Follina? What are the recommended workarounds?
No patch has been released yet. Microsoft has released a temporary workaround which we recommend applying in the interim until patches are released.
The Automox team has created Powershell scripts you can use in a Worklet to apply the temporary workaround to your Windows estate. These are based on the recommended workaround steps from Microsoft.
Worklet Evaluation Code to Remove Registry Key:
#################################################
################ BEGIN MAIN CODE ################
#################################################
# Mount HKey_Classes_Root as drive
New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null
# Tests for HKCR:\ms-msdt
if(Test-Path -Path "HKCR:\ms-msdt")
{
# Key found triggering remediation
Remove-PSDrive HKCR
Exit 1
}
# Key not found, no remediation needed
Remove-PSDrive HKCR
Exit 0
Worklet Remediation Code to Remove Registry Key:
# Variable used to specify export location of regkey. Directory will be created if not present
$regExportdir = "C:\regExport"
#################################################
################ BEGIN MAIN CODE ################
#################################################
# Mount HKey_Classes_Root as drive
New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null
# Tests for HKCR:\ms-msdt
if(Test-Path -Path "HKCR:\ms-msdt")
{
# Detect if export dir exists and creates if needed
if(!(Test-Path $regExportdir))
{
New-Item -Path $regExportdir -ItemType Directory | Out-Null
}
# Create arguments for Reg
$regArgs = 'export HKCR\ms-msdt ' + "$regExportdir" + '\ms-msdt.reg /y'
# Exports HKCR:\ms-msdt to the $regExportdir
Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "$regArgs" -Wait
# Deletes HKCR:\ms-cxh"
Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "delete HKCR\ms-msdt /f" -Wait
# Validation
if(Test-Path -Path "HKCR:\ms-msdt")
{
Write-Output "Failed to delete registry key"
Remove-PSDrive HKCR
exit 5
}
Write-Output "Successfully Exported Key to $regExportdir"
Remove-PSDrive HKCR
Exit 0
}
Write-Output "ms-msdt key is not present on this device"
Remove-PSDrive HKCR
Exit 0
Once patches have been released and you’ve applied them, you can undo the workaround with the following Worklet:
Worklet Evaluation Code to Import/Add Registry Key:
#################################################
################ BEGIN MAIN CODE ################
#################################################
# Mount HKey_Classes_Root as drive
New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null
# Tests for HKCR:\ms-msdt
if(!(Test-Path -Path "HKCR:\ms-msdt"))
{
# Key not found triggering remediation
Remove-PSDrive HKCR
Exit 1
}
# Key found, no remediation needed
Remove-PSDrive HKCR
Exit 0
Worklet Remediation Code to Import/Add Registry Key:
# Variable used to specify previous export location of regkey. Script will cancel if not present
$regExportdir = "C:\regExport"
#################################################
################ BEGIN MAIN CODE ################
#################################################
# Mount HKey_Classes_Root as drive
New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null
# Tests for HKCR:\ms-msdt
if(!(Test-Path -Path "HKCR:\ms-msdt"))
{
# Detect if export dir exists and creates if needed
if(!(Test-Path "$regExportdir\ms-msdt.reg"))
{
Write-Output "Exported regkey is not present. Cancelling..."
Exit 0
}
# Create arguments for Reg
$regArgs = 'import ' + "$regExportdir" + '\ms-msdt.reg'
# Import ms-msdt.reg to the $regExportdir
Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "$regArgs" -Wait
# Validation
if(!(Test-Path -Path "HKCR:\ms-msdt"))
{
Write-Output "Failed to import registry key"
Remove-PSDrive HKCR
exit 5
}
Write-Output "Successfully imported Key."
Remove-PSDrive HKCR
Exit 0
}
Write-Output "Key is already present on this device"
Remove-PSDrive HKCR
Exit 0
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.
