[0-day][Officially fixed] Microsoft Windows MSDT URI Handler Vulnerability aka "Follina" / CVE-2022-30190

Tom

A 0-day in Microsoft Office / 365 Apps has been reported on Twitter and news sites.

The vulnerability and attack has been analysed and verified, it has been dubbed "Follina".

The problem lies in the handling of MSDT URI's, MSDT is a diagnostics tool.

There is currently no official solution to this vulnerability.

Users should be cautious when opening Office documents and if possible, avoid opening documents from untrusted sources.

It has been reported that deleting the MS-MSDT URI handler will prevent exploitation of this vulnerability.

Before deleting the URI handler, you can make a backup of the registry data like this:
reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt-backup.reg

And delete the URI handler like this:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
(/f forces deletion of the entry in case you want to script this, else you'll be prompted to delete it)

And to restore it, simply do:
reg import ms-msdt-backup.reg

You can find more details about the attack and vulnerability in this report:
https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

Other interesting sources:
https://twitter.com/CrazymanArmy/status/1531117401181671430
https://twitter.com/nao_sec/status/1530196847679401984
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

(30th May 2022: Updated with an extra link to Twitter and an article by Kevin Beaumont)

Tom

Microsoft has officially responded to the MSDT 0-day and confirmed it:
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

It has been assigned CVE-2022-30190.

It seems clear that Microsoft's stance is that this isn't an Office / 365 Apps issue, but rather a Windows vulnerability.

This doesn't change the fact, that Office and MS 365 Apps is the current known vector.

Microsoft also recommends disabling the MSDT URI handler:
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Disabling this URI handler should be safe, it is rarely used. But as always, keep a backup, in case you have some third-party software that relies on this.

We will review this and may change the affected products later, but this may not happen until Microsoft releases an official fix.

Tom

Microsoft has issued official fixes for the 0-day CVE-2022-30190 / Follina:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

As expected, Microsoft has classified it as a Windows vulnerability.

You can see affected systems here:
https://corporate.vulndetect.com/#/applications/versions?channelTag=microsoft.windows.endrule&status=insecure&title=Microsoft Windows

Note that it requires a recent inspection, hosts that haven't inspected since 14-06-2022 20:00 CET will not report the missing KB update.