Skip to content

Search the site

Microsoft zero day "Follina" demystified: What you need to know

Microsoft Support Diagnostic Tool being unhelpful...

In brief: Microsoft zero day Follina exploited in the wild since April. Redmond finally acknowledges the vulnerability late May 30, allocates CVE-2022-30190. Exploitation sees attacker share a document that calls a link directing not to the http/https but the ms-msdt (Microsoft Support Diagnostic Tool) protocol scheme.

An unpatched Microsoft zero day "readily offers threat actors code execution with just a single click – or less" according to Huntress Labs' investigation of the new threat vector, dubbed Follina by threat researcher Kevin Beaumont: "This is an enticing attack for adversaries as it is tucked inside of a Microsoft Word document without macros to trigger familiar warning signs to users – but with the ability to run remotely hosted code."

That's the view of the Huntress security team after Japan's Nao_Sec on May 27 first flagged an unusual Word document in the wild, uploaded from an IP address in Belarus -- with further samples being identified by the security community as The Stack published, suggesting wider abuse in the wild than first thought.

After days of silence as security researchers explored the vulnerability -- with threat actors no doubt also looking at how to weaponise it -- Microsoft late May 30 allocated the vulnerability CVE-2022-30190 in an out-of-band security advisory providing mitigations but no patch: "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word" Microsoft acknowledged in the guidance.

Click here to follow us on LinkedIn

Worryingly, Huntress Labs says that instead of using Word, using "Rich Text Format file (.rtf) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer. Much like CVE-2021-40444, this extends the severity of this threat by not just “single-click” to exploit, but potentially with a “zero-click” trigger."

If you do not run phishing simulations and training, now is the time to start.

As security researcher, Rob Lee, noted: "These types of easily exploitable flaws do not appear every day. This one is trivial and a massive amount of POCs are hitting online. Learn about it, defend against it, and respond to it."

Security firm Huntress Labs warned in its non-technical overview: "The mitigations that are available are messy workarounds that the industry hasn’t had time to study the impact of. They involve changing settings in the Windows Registry, which is serious business because an incorrect Registry entry could brick your machine..."

A "quick and dirty" workaround by Red Team toolkit Mimikatz's creator Benjamin Delpy soon won plaudits for being an effective mitigator, however (left).

Exploitation of the vulnerability was first seen on April 12 and reported to Microsoft MSRC, by @crazymanarmy of Shadowchasing1, an APT hunting group.

Microsoft initially responded that it was "not a security issue" according to email screenshots.

The MSDT Microsoft zero day: How "Follina" works

MSDT is the Microsoft Support Diagnostic Tool.

One of the most straightforward explanations of how the Microsoft Follina zero day works came May 31 from Sophos, which described the exploit like this:

  • You open a booby-trapped... file
  • The document references a regular-looking https: URL that gets downloaded
  • This https: URL references an HTML file that contains some weird-looking JavaScript code
  • That JavaScript references an URL with the unusual identifier ms-msdt: in place of https (in Windows, ms-msdt: is a proprietary URL type that launches the MSDT software toolkit...)
  • The command line supplied to MSDT via the URL then causes it to run untrusted code.

Microsoft said: "If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack."

With security researchers pointing to ways to trigger the attack without using an Office application, thay may not prove hugely reassuring (it also deserves re-emphasising that no Visual Basic for Applications (VBA) Office macros are involved, so affected Office users can be hit even if macros are sensibly turned off completely.)

Huntress added: "If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.

"However, if you’re not yet using ASR you may wish to run the rule in Audit mode first and monitor the outcome to ensure there’s no adverse impact on end users. Another option is to remove the file type association for ms-msdt (can be done in Windows Registry HKCR:\ms-msdt or with Kelvin Tegelaar’s PowerShell snippet). When the malicious document is opened, Office will not be able to invoke ms-msdt thus preventing the malware from running. Be sure to make a backup of the registry settings before using this mitigation."

MSDT looks like a large threat surface. Expect more vulnerabilities to surface.

And why "Follina"? The original infected Word sample on Virus Total goes by the name 05-2022-0438.doc. The 0438 number is the dialling code for the area of Follina in north Italy and security researcher Kevin Beaumont who wrote the first overview of the vulnerability admits to unresolved issues with an Italian ex. That is all.

Further Reading

Take a moment to follow The Stack on LinkedIn