The recently discovered Follina vulnerability in Microsoft Support Diagnostic Tool has been causing all kinds of harm by employing word documents to do their dirty work. The vulnerability was found in May but has been reportedly exploited for nearly a month and has been making headlines in the cybersecurity world and creating all kinds of doubts regarding the safety of one of the most widely used software, MS Word. Microsoft has responded against the zero-day vulnerability and shared the latest mitigation advice that you can use to block attacks before the official patch.

 

What is Follina?

Follina vulnerability is a cybersecurity vulnerability discovered at the end of May 2022. Officially tracked as CVE-2022-30190, Follina is a zero-day vulnerability, i.e., a vulnerability that was not discovered before. Follina affects the MSDT (Microsoft Windows Support Diagnostic Tool) via remotely executable code that allows cybercriminals to exploit Follina to assume control of a system or device, influencing user rights to install programs and manipulate data or create additional accounts.

 

Does Follina Originate in MS Word?

The quick answer is no; MS Word is safe to use, and Follina does not originate in MS Word. Follina gains entry to systems via the MSDT, a tool that various Microsoft applications use. Kevin Beaumont, a cybersecurity researcher and one of the earliest people to report on Follina, shared revelations about the vulnerability after careful analysis.

Follina leverages MS Word’s remote template feature. Using the feature, MS Word can retrieve HTML (Hyper Text Markup Language) files from the remote servers that use Microsoft’s MSDT URL (Uniform Resource Locator) scheme to call PowerShell scripts, i.e., Microsoft automated task tools that interact with the Internet, thus allowing cybercriminals to download malware onto your device or upload system files and data.

Testing Follina to locate the vulnerability’s presence on various MS Office versions revealed that the Follina exploit is indeed present on the latest versions of:

  • MS Office 2013
  • MS Office 2016
  • MS Office 2019
  • MS Office 2021
  • Follina has also been observed on MS Office ProPlus and Office 365

 

Follina’s Earliest Attacks

Although the Follina vulnerability was discovered at the end of May, experts found traces of its implementation all over the past month. An independent security research team found the Follina vulnerability that originated from an IP (Internet Protocol) address in Belarus. Samples of malicious MS Word documents were also reported to have been used by cybercriminals, indicating the exploitation of Follina in April as well.

The Follina vulnerability was also exploited by “TA413”, a Chinese APT group to download backdoors into the victim’s system using MSDT’s URL protocol. Experts argue that the Follina vulnerability has existed for quite some time. 2ero, a senior security researcher, initiated a thread on Twitter, revealing the entire timeline starting October 2022 and its recent exploitation by cybercriminals in various countries, including Nepal, India, Philippines, Russia, and Belarus.

 

How to Keep Safe from the Follina Vulnerability?

The MSRC (Microsoft Security Response Center) released a guide to help take steps so you can keep away from the Follina vulnerability until a permanent patch is released.

The Protected View, in-built in MS applications, serves as the first layer of protection and blocks any Follina attacks. Additionally, you can employ several methods to keep yourself safe against the Follina exploitation or the CVE-2022-30190.

 

Disabling MSDT

A quick workaround for the Follina vulnerability is disabling the MSDT altogether. If you disable MSDT, MS troubleshooters and tools will be unable to launch links, keeping your system safe and protected against Follina exploitation attacks. You can easily disable the MSDT by:

  1. Running Cmd (Command Prompt) as Administrator.
  2. Backing up the registry and executing the following commands one by one.
    • “reg export HKEY_CLASSES_ROOT\ms-msdt filename”
    • “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

Suppose you wish to reverse this and enable the MSDT, you can execute the following.

    • “reg import filename”

 

Microsoft Defender and Tools

You can use different Microsoft Defender Services to protect against Follina exploitation. These include:

1. MDAV (Microsoft Defender Antivirus)

The latest MDAV detects and protects the following signatures.

  • Trojan:Win32/Mesdetty.A
  • Trojan:Win32/Mesdetty.B
  • Trojan:Win32/MesdettyScript.A
  • Trojan:Win32/MesdettyScript.B
  • Behavior:Win32/MesdettyLaunch.A!blk

It does so using the build 1.367.851.0 or higher for Follina detection. Furthermore, you can turn the on-cloud protection as it integrates AI and ML (Artificial Intelligence and Machine Learning) capabilities for automated and evolving security.

 

2. MDE (Microsoft Defender for Endpoint)

Microsoft Defender solution delivers excellent detections and alerts for Endpoint. The following alerts could indicate the presence of Follina vulnerability.

  • Suspicious behavior by Msdt.exe
  • Suspicious behavior by an Office application

You can also enhance your protection by enabling the attack surface reduction rule. This “Block all Office applications from creating child processes” will not allow any MS Office applications to open sub or child processes.

 

3. MDO (Microsoft Defender Office)

The MDO, Microsoft’s defense tool for Office 365, can also detect and protect you from Follina vulnerabilities in email attachments and URLs. These include:

  • Trojan_DOCX_OLEAnomaly_AC
  • Trojan_DOCX_OLEAnomaly_AD
  • Trojan_DOCX_OLEAnomaly_AE
  • Trojan_DOCX_OLEAnomaly_AF
  • Exploit_UIA_CVE_2022_30190
  • Exploit_CVE_2022_30190_ShellExec
  • Exploit_HTML_CVE_2022_30190_A
  • Exploit_Win32_CVE_2022_30190_B

You can look at the complete MSRC’s security post for the Follina vulnerability here.

 

No Follina Patch As of Yet

You should note that the above steps currently provide the best defense against the Follina vulnerability but do not fix the vulnerability itself.

Zero-day attacks are so termed as they provide little response time to organizations, in this case, Microsoft, as the cybercriminals and threat actors start exploiting the vulnerability before the organization even has a chance to look into it.

The Follina vulnerability is no different, allowing threat actors access to your systems, allowing them to elevate their privileges, access all system files, or download malware. Exploiting Follina, cybercriminals can easily lock you out of your systems, which is why taking all the necessary steps is of paramount importance and should be your highest priority. Until Microsoft releases a proper and permanent security patch, you should disable the MSDT and use Microsoft Defender.

 

Final Words

The Follina vulnerability has shown how zero-day attacks pose unknown threats, even to tech giants known worldwide. There is an increasing and ever-growing demand for cybersecurity professionals and the latest tools to keep up with the rising threat of cybercrimes. That being said, Microsoft has withstood various attacks in the past and will release permanent patches for Follina soon. In the meantime, you can keep yourself safe by following the above recommendations and downloading Microsoft Defender Tools on your devices.