The bug was discovered by cybersecurity expert Kevin Beaumont and has since been given the name “Follina” It’s now being tracked as CVE-2022-30190 and Microsoft describes it as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability according to BleepingComputer.
Follina is particularly concerning, as this zero-day vulnerability affects all versions of Windows that are still receiving security updates. In a recent blog post, the Microsoft Security Response Center provided further details on the bug and how it can be used to attack systems running Windows 7 all the way up to Windows 11, saying:
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Exploiting Follina using weaponized Word documents
As with any new zero-day, Follina is already being exploited in the wild and security researchers from Proofpoint have discovered that the Chinese state-sponsored threat actor TA413 has been using the vulnerability to target the international Tibetan community.
In a tweet, the company’s researchers explained that TA413 is using malicious URLs to deliver ZIP files that contain weaponized Word documents that exploit Follina. At the same time, MalwareHunterTeam also found Word files with Chinese filenames that are currently being used to install infostealers.
It’s worth noting that attacks exploiting Follina were spotted over a month ago when sextortion threats and invitations to do an interview with Sputnik radio were both used as lures according to BleepingComputer.
Microsoft has a workaround but there’s also an unofficial patch
As it stands now, Microsoft has not yet issued any security updates to address the Follina zero-day vulnerability. However, the software giant has come up with a workaround to help keep Windows PCs protected in the meantime.
The workaround involves disabling the MSDT URL protocol on Windows devices — you’ll first need to run Command Prompt as Administrator to start the process. From here, you need to use the command reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt.reg to back up your system’s registry key before executing the command reg delete HKEY_CLASSES_ROOT\ms-msdt /f.
If you do decide to go this route, you’ll need to undo the workaround by launching an elevated command prompt and executing the command reg import ms-msdt.reg once Microsoft releases an official patch.
Speaking of patches, opatch has also created free and unofficial micropatches for Windows 11, Windows 10, Windows 7 and Windows Server 2008. While we don’t recommend installing unofficial patches, those willing to take the risk will need to first register for an opatch account before installing the opatch agent. Once launched, the agent will automatically download and apply the patch on your Windows PC.
Now that cybercriminals and even state-sponsored hackers are actively exploiting Follina in their attacks, Microsoft will likely release an official patch soon. In the meantime though, the company’s workaround should be enough for most people to protect their PCs.