Microsoft on Monday released guidance for a vulnerability that allows remote code execution when using the URL protocol in applications such as Microsoft Word.
Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability, first reported over the Memorial Day weekend by researchers with Japanese security vendor Nao Sec.
Security researcher Kevin Beaumont named the vulnerability “Folina,” since the zero day code references 0438, which is the area code for Follina, Italy. Beaumont noted that Defender for Endpoint did not detect the exploit, which retrieves an HTML file from a remote webserver and allows PowerShell code execution.
An attacker successfully exploiting the vulnerability could run arbitrary code with the privileges of the calling application, and can then install programs, change or delete data, or even create new accounts allowed by the users’ rights, Microsoft posted on its security blog.
To disable the MDST URL Protocol, Microsoft said users should:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.
Microsoft said customers with Defender Antivirus should turn on cloud-delivered protection and automatic sample submission, while Defender for Endpoint customers can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes.
The U.S. Cybersecurity and Infrastructure Security Agency issued an alert Tuesday on Follina, urging users and administrators to apply the necessary workaround.