Application security, Distributed Workforce, Vulnerability Management

Microsoft releases guidance on ‘Follina’ vulnerability in Office products

Pictured: A logo sits outside the Microsoft pavilion at the Fira Gran Via complex on March 3, 2015, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Microsoft on Monday released guidance for a vulnerability that allows remote code execution when using the URL protocol in applications such as Microsoft Word. 

Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability, first reported over the Memorial Day weekend by researchers with Japanese security vendor Nao Sec. 

Security researcher Kevin Beaumont named the vulnerability “Folina,” since the zero day code references 0438, which is the area code for Follina, Italy. Beaumont noted that Defender for Endpoint did not detect the exploit, which retrieves an HTML file from a remote webserver and allows PowerShell code execution.

An attacker successfully exploiting the vulnerability could run arbitrary code with the privileges of the calling application, and can then install programs, change or delete data, or even create new accounts allowed by the users’ rights, Microsoft posted on its security blog.

To disable the MDST URL Protocol, Microsoft said users should:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTms-msdt filename“
  • Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.

Microsoft said customers with Defender Antivirus should turn on cloud-delivered protection and automatic sample submission, while Defender for Endpoint customers can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes.

The U.S. Cybersecurity and Infrastructure Security Agency issued an alert Tuesday on Follina, urging users and administrators to apply the necessary workaround.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.