The Follina Remote Code Execution Vulnerability

Explanation and workaround for CVE-2022-30190

June 03, 2022 · 2 mins read

The Follina vulnerability

Already mentioned back in 2020 this monday 05/30/2022 security researchers officially reported the so called “Follina” remote code execution vulnerability (CVE-2022-30190) in the Microsoft Support Diagnostic Tool (MSDT).

How it works

In Microsoft Office applications like Word or Excel a user can create a document from a template. The template is then downloaded from an external server. This feature can be exploited: An attacker points the external reference to his own server where instead of the template a HTML document is downloaded. The HTML file contains a script tag (-> client side execution) inside of which it invokes the Microsoft Support Diagnostic Tool using the ms-msdt URI schema. Within the invokation parameter it includes PowerShell code which is then executed.

An unaware user opens a MS Office document and in this moment game is over. The attacker can execute own code. Running a privilege escalation attack the attacker gains admin rights and has full control over the system. Note: Macros can be disabled.

Temporary workaround

The easiest way to protect your local machine is to remove the file type association for ms-msdt by deleting the ms-msdt URI schema registry key:

  1. Open a command prompt as administrator
  2. Backup the registry key:
    reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Delete the registry key:
    reg delete HKEY_CLASSES_ROOT\ms-msdt /f

If you want to restore the registry key later:

  1. Open a command prompt as administrator
  2. Restore the registry key:
    reg import filename

For customers of Microsoft Defender for Endpoint it is also possible to set rules for Microsoft Defender’s Attack Surface Reduction. You can find details about it in this blog post by Microsoft.

Note: By default, MS Office opens documents from the internet in Protected View or Application Guard for Office. Both of them prevent the attack. However, this is just a little protection.

Further information