Workaround For One-Click 0Day Vulnerability Follina

Microsoft announced its workaround for a zero-day vulnerability that has already been used by hackers. A threat actor already has exploited the vulnerability to target organizations in Russia and Tibet, researchers said. This vulnerability was identified back in April and is dubbed ‘Follina’.

Microsoft’s own tool reported a flaw in the way it handled remote control of its products. The remote-control execution (RCE) flaw, tracked as CVE-2022-3019, is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company’s products and reports to Microsoft Support.

If hackers get into your system, they can install programs, view, change, or delete your data, or create new accounts.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft explained in its guidance on the Microsoft Security Response Center. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

When this potential vulnerability was reported, Microsoft didn’t think the problem was a big deal. Now the company admits it made a mistake. The flaw has been rising in the news again, and researchers from Japanese security firm Nao Sec are warning that it’s being used to target people in Belarus.

 

The Risk

The vulnerability is a significant risk because it is easy to exploit, security researchers noted. It affects such a wide variety of users, because it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus. 

I know, this sounds complicated — but stay with me. This flaw doesn’t require any action on the part of users. Just get them to visit a website, and bad things will happen to them. But don’t worry, it gets worse. Once the user’s computer is infected with malicious code it lets the remote attacker control it remotely.

 

The Workaround

Microsoft has recommended that users disable the Microsoft Diagnostics and Recovery Toolkit URL to mitigate this flaw. “This prevents troubleshooters from being launched as links throughout the operating system,” Microsoft said in its advisory.

To disable this, follow these steps: Run “:Command Prompt as Administrator“; Make sure to back up the registry key by executing the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“; and execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Leave a Comment