ZeroFox Threat Intelligence has observed an identified vulnerability, Follina, which affects all versions of Windows. As of June 2, 2022, ZeroFox has released the following.
- The identified vulnerability, dubbed Follina, affects all versions of Windows still receiving security updates and has been designated as CVE-2022-30190.
- Chinese advanced persistent threat (APT) group TA413 has already been observed exploiting the Follina vulnerability.
- Disabling macros in Word does not prevent the exploit from being triggered; the payload can be initiated by opening a Word Document.
- CVE-2022-30190 can be triggered by viewing a weaponized Word document saved in Rich Text Document form in the Explorer preview pane.
- Workarounds are available.
Microsoft has been aware of this vulnerability since April 2022, when another security researcher using the handle “crazyman” submitted a report about the exploit. Follina has been designated as CVE-2022-30190.
Microsoft shared instructions for an official workaround through the Microsoft Security Response Center (MSRC) website on May 30, 2022.3 To disable the MSDT protocol handler, Microsoft suggests the following steps:
- Open Command Prompt as an administrator.
- Run “reg export HKEY_CLASSES_ROOT\ms-msdt filename”, with “filename” being the name of the file that will be created as a backup.
- Run “reg delete HKEY_CLASSES_ROOT\ms-msdt /f” to delete the registry key.
To restore this functionality, administrators can once again open Command Prompt as an administrator and then run “reg import filename” where “filename” is the name of the backup file created earlier.
In addition to Microsoft’s instructions, the following recommendations should also be considered.
- Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
- Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.
- Maintain regularly scheduled backup routines, including off-site storage and integrity checks.
- Avoid opening unsolicited attachments and never click suspicious links.
- Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.
- Review network logs for potential signs of compromise and data egress.