Disclaimer: I know this isn’t a unique post on the subject, and that many other outlets are covering it, but this zero-day is so serious that it needs as much coverage as possible. It simply needs shouting about.
Updated 06/06/2022 following advice from Microsoft's @reybango.
The vulnerability was reported to Microsoft by Shadow Chaser Group member @CrazymanArmy.
It exists in Microsoft Windows Support Diagnostic Tool (MSDT), enabling remote code execution. It’s been assigned a CVE and Microsoft provide details here CVE-2022-30190.
Microsoft says:
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Put more simply; it makes Arbitrary Code Execution attacks possible when previewing or opening documents.
There are two protocol handlers that need to be unregistered: ms-msdt andsearch-ms.
Microsoft were quick to publish a workaround to prevent attacks that exploit the vulnerability: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>
The advice in that post is to disable the MSDT URL Protocol:
@hackerfantastic published advice here. He said "Note that this is not CVE-2022-30190 but uses the same OLEObject vector as CVE-2021-40444 and CVE-2022-30190, however as it requires additional user interaction and an outbound UNC connection the CVSS risk score is reduced. It is also currently unpatched but mitigation steps work".
The steps are:
As with all workarounds it’s on you to vet and investigate before deploying them.
There’s more detail from the nao_sec cyber security research team here.
SANS have produced an analysis and remediation video here.
Here's why, thanks @GossiTheDog!
The post Follina 0day exploit. Malicious code execution in Office docs first appeared on Pen Test Partners.