Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Follina: office documents as an entrance
#1
Exclamation 
Quote:
[Image: follina-cve-2022-30190-msdt-featured.jpg]

New vulnerability CVE-2022-30190 aka Follina allows exploitation of Windows Support Diagnostic Tool via MS Office files.

Researchers have discovered another serious vulnerability in Microsoft products that potentially allows attackers to execute arbitrary code. MITRE designated this vulnerability as CVE-2022-30190, while researchers somewhat poetically named it Follina. The most disturbing thing is that there is no fix for this bug yet.

What’s even worse, the vulnerability is already being actively exploited by cybercriminals. While the update is under development, all Windows users and administrators are advised to use temporary workarounds.

What is CVE-2022-30190 and what products does it affect

The CVE-2022-30190 vulnerability is contained in the Microsoft Windows Support Diagnostic

Tool (MSDT) which doesn’t sound like a big deal. Unfortunately, due to the implementation of this tool, the vulnerability can be exploited via a malicious office document.

MSDT is an application that is used to automatically collect diagnostic information and send it to Microsoft when something is going wrong with Windows. The tool can be called from another applications (Microsoft Word being the most popular example) through the special MSDT URL protocol. If the vulnerability is successfully exploited, an attacker is able to run arbitrary code with the privileges of the application that called the MSDT — that is, in this case, with the rights of the user who opened the malicious file.

Vulnerability CVE-2022-30190 can be exploited in all operating systems of the Windows family, both desktop and server.

How attackers exploit CVE-2022-30190

As a demonstration of the attack, the researchers describe the following scenario. Attackers create a malicious office document and slip it to the victim. The most common way to do this is to send an e-mail with a malicious attachment, spiced up with some classic social engineering ploy to convince the recipient to open the file. Something like “Urgently check the contract, signing tomorrow morning” can easily do the trick.

The infected file contains a link to an HTML file that contains JavaScript code that executes malicious code in the command line via MSDT. As a result of successful exploitation, the attackers can install programs, view, modify or destroy data, as well as create new accounts — that is, do everything that is possible with the victim’s privileges in the system.

How to stay safe

As mentioned at the beginning, there is no patch yet. To counteract, Microsoft recommends disabling the MSDT URL protocol. To do this, you need to run a command prompt with administrator rights and execute the command
 
Code:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f

. Before doing this, it would be useful to back up the registry by executing
 
Code:
reg export HKEY_CLASSES_ROOT\ms-msdt filename

. This way you can quickly restore the registry with the
 
Code:
reg import filename

command as soon as this workaround is no longer needed,

Of course, this is only a temporary measure and you should install an update that closes the Follina vulnerability as soon as it becomes available.

The described methods of exploiting this vulnerability involve the use of e-mails with malicious attachments and social engineering methods. Therefore we recommend to be even more careful than usual with e-mails from unknown senders, especially with attached MS Office documents. For companies it makes sense to regularly raise employee awareness about most relevant hackers’ tricks.

In addition, all devices with an Internet access should be equipped with robust security solutions. Even when someone is exploiting an unknown vulnerability, such solutions can prevent malicious code from running on a user’s machine.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Microsoft Edge fixes 0-day vulnerability...
Microsoft released...harlan4096 — 10:12
AnyDesk 8.0.9
AnyDesk 8.0.9:   ...harlan4096 — 10:10
AMD Confirms RDNA 3+ GPU Architecture F...
AMD Zen5-based Strix...harlan4096 — 10:08
Adobe Acrobat Reader DC 24.001.20629 (Op...
Adobe Acrobat Read...harlan4096 — 10:06
FastCopy 5.7.5
FastCopy 5.7.5: ...harlan4096 — 10:04

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>