Blog Cyber Security Microsoft 365 Tech Tips
Alert: High Severity Vulnerability in Windows Support Diagnostic Tool
A high severity remote code execution (RCE) vulnerability has been identified in Microsoft Windows Support Diagnostic Tool (MSDT), a feature of Microsoft Windows.
Designated CVE-2022-30190 with a CVSS score of 7.3 (High), it allows for remote code execution from Office documents.
The current CVSS score notes that User Interaction is required (i.e. opening the malicious document) however security researchers have identified a zero-click vector to exploit the vulnerability which, in our view, increases the severity.
By using an RTF file, a user simply browsing to the location of the file in Windows Explorer can trigger the exploit through the Preview pane rendering the RTF document including the exploit code.
All current versions of Windows are vulnerable. A patch is not currently available and Microsoft has not released a timeline for a patch (at this time).
Proof of concept exploit code is publicly available enabling any actor to craft a malicious document that can exploit this vulnerability to execute arbitrary code, such as PowerShell, on the target system with the privileges of the calling application (e.g. Microsoft Word).
Threat actors may use this vulnerability to establish a foothold inside a network and to download further payloads such as ransomware or tools needed to elevate their privileges, maintain persistence, and move laterally around the network.
On May 27th, an anonymous user uploaded a document to VirusTotal, a popular malware analysis and research platform run by Google, from a Belarus IP address. The Nao Sec security team published a tweet after noticing the file and the novel exploitation technique it used.
The vulnerability has been nicknamed ‘Follina’ due to the sample file referencing 0438, the area code for Follina, Italy. Microsoft released guidance and a workaround on May 30th.
What you should do
If you are using Microsoft Windows:
- Review the Microsoft blog article (see References section below)
- Review and implement the workaround by disabling the MSDT URL protocol:
- Run Command Prompt (cmd.exe) as Administrator
- Backup the Registry by executing the command:
- reg export HKEY_CLASSES_ROOT\ms-msdt filename
- Disable the MSDT URL protocol by executing the command:
- reg delete HKEY_CLASSES_ROOT\ms-msdt /f
What Sophos MTR (Managed Threat Response) is doing
We are continuing to perform threat hunts to identify potential indicators of related suspicious activity and for signs of post exploitation tactics.
- Sophos is continuing to publish new protections against this threat including endpoint and network-based preventions.
- The MTR team has released new detection content specifically targeting the exploit activity that we have observed.
- If signs of post exploit activity are observed within your estate, the MTR team will operate according to your defined response preferences.
- We are continuously monitoring for changes in attacker behavior so we can better monitor and protect your estate.
If you need help or just an IT crew you can trust on, hire real Business Technology Experts Contact us today or book a discovery session.