You are here

(Update 6/16/2022) Patch Available for Windows Zero-Day Vulnerability (“Follina”) – Exploitation Still On-Going

(Update 6/16/2022) Patch Available for Windows Zero-Day Vulnerability (“Follina”) – Exploitation Still On-Going

Created: Thursday, June 16, 2022 - 11:35
Categories:
Cybersecurity, Security Preparedness

Microsoft has provided a security update for this vulnerability. Due to continued active exploitation, system administrators are highly encouraged to address accordingly and continue tracking new information regarding the zero-day Microsoft vulnerability (CVE-2022-30190) – dubbed Follina – that was disclosed over the Memorial Day weekend.

 

June 9, 2022

Due to continued active exploitation and the lack of a patch, system administrators are highly encouraged to address accordingly and continue tracking new information regarding the zero-day Microsoft vulnerability (CVE-2022-30190) – dubbed Follina – that was disclosed over the Memorial Day weekend.

  • At this time, Microsoft has still not released an official patch/security update and any intent to do so remains unclear. Microsoft’s current recommended compensating control to protect against exploitation until an update is available involves disabling the MSDT (Microsoft Support Diagnostic Tool) URL protocol, but this should be addressed carefully due to the potential for system problems resulting from registry changes.
  • Follina reportedly affects Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365.
  • Follina exploitation has been observed being leveraged by Qakbot/Qbot malware and is attempting to proliferate through phishing. According to Proofpoint, the actor (tracked as TA570) has been observed using thread hijacked messages with HTML attachments that download a zip archive if opened. The zip archive contains the Qakbot execution and infection chain. Likewise, Qakbot is known to be associated with multiple ransomware groups – although there hasn’t been any observation of ransomware deployment at this time.
  • (Previously reported, but a reminder) There are multiple observations of exploitation occurring, including in phishing attacks against at least two U.S. local government entities. According to reports, to lure employees, the attackers used salary increase promises as the subject.

Visit The Record for more.

Additional resources:

 

June 7, 2022

System administrators are encouraged to keep track of new information regarding the zero-day Microsoft vulnerability (CVE-2022-30190) dubbed Follina, that was disclosed during late May.

  • At this time, Microsoft has not released an official patch/security update and any intent to do so is unclear. Microsoft’s current recommended compensating control to protect against exploitation until an update is available involves disabling the MSDT (Microsoft Support Diagnostic Tool) URL protocol.
  • There are multiple observations of exploitation occurring, including in phishing attacks against at least two U.S. local government entities. According to reports, to lure employees, the attackers used salary increase promises.

For more information, visit HelpNetSecurity, ArsTechnica, and BleepingComputer.

 

May 31, 2022

What you need to know. Yesterday, Microsoft issued an advisory for a zero-day remote code execution (RCE) vulnerability impacting Microsoft Office. The vulnerability, tracked at CVE-2022-30190, has been dubbed “Follina,” is trivial to exploit, and is reportedly impacted on every supported version of Microsoft Windows. As the term “zero-day” indicates, there is no patch available (at the time of this publishing). As is typical with an RCE, an attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

What you should do. To protect against this trivial threat, members are strongly encouraged to remind end users of the high risk for opening attachments. Specifically, advise users that there is a newly discovered vulnerability in Microsoft Word (and likely other Microsoft Office applications) that could install malware and remind them be extra vigilant about opening attachments. Users should also be made aware that this exploit can be triggered simply with a hover-preview after they’ve downloaded a specially crafted file even if they don’t click to open the file.

System administrators are advised to review available threat information and consider implementing appropriate workarounds until a patch is made available.

What is the vulnerability? CVE-2022-30190 is a remote code execution vulnerability that exists when MSDT (Microsoft Diagnostics Tool) is called using the URL protocol from a calling application such as Word. Detonating the malicious code is as simple as opening up a specially crafted Word document – even in preview mode. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. While Microsoft states that Protected View or Application Guard for Office would both prevent the current attack, multiple researchers have noted that changing the document to a .rtf file could trigger the exploit by just hovering over the file in the Preview Pane in Windows Explorer and will not trigger Protected View.

Is there a patch? No, not at the time of this publishing. Microsoft’s advisory includes guidance for a workaround until a patch is available.

Is there a workaround? Yes. Until a patch is made available, Microsoft issued guidance on disabling the MSDT URL Protocol as a temporary mitigation.

Is this being actively exploited? There is publicly available proof-of-concept exploit code. Exploitation is anticipated in the coming days through email-based attachments.

Access a high-level overview of "Follina" at HelpNetSecurity.

Resources: