Microsoft on Monday released guidance for a vulnerability that allows remote code execution when using the URL protocol in applications such as Microsoft Word.
Microsoft has released CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) vulnerability in Windows, first reported over Memorial Day weekend by researchers at the Japanese security vendor Nao Sec.
security researcher Kevin Beaumont named the vulnerability “Folina”, since the zero day code refers to 0438, which is the area code for Follina, Italy. Beaumont noted that Defender for Endpoint did not detect the exploit, which retrieves an HTML file from a remote web server and enables execution of PowerShell code.
An attacker who successfully exploited the vulnerability could run arbitrary code with the privileges of the calling application, and could then install programs, modify or delete data, or even create new accounts authorized by user rights. Microsoft posted on its security blog.
To disable the MDST URL Protocol, Microsoft said users must:
- Run the command prompt as an administrator.
- To back up the registry key, run the command “reg export HKEY_CLASSES_ROOTms-msdt filename”
- Run the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.
Microsoft said customers with Defender Antivirus should enable cloud-delivered protection and automatic sample submission, while Defender for Endpoint customers can enable the “BlockOfficeCreateProcessRule” attack surface reduction rule that prevents Office applications to create child processes.
The US Agency for Cybersecurity and Infrastructure Security published an alert Tuesday on Follina, urging users and administrators to apply the necessary workaround.
