Get Support

Call us:
0330 043 7372

Get Support

Published: 31/05/22

Follina – Zero day exploit in MS Office – workaround instructions

A new zero-day remote code execution bug has been found in Microsoft Office.

This was first picked up by security researcher Kevin Beaumont and has been named Follina. It has a CVE-2022-30190, and Microsoft have published an advisory and a blog.

What is the bug?

A file can be embedded with some internet hosted content, which these days is fairly normal.

In case of a malicious file, the content is downloaded and then in turn accesses more active content. Now instead of trying to access a http: or https: link, it makes reference to a link starting with msdt:

In Windows, “ms-msdt:” is a URL type that has an automatically associated handler to open the MSDT software toolkit. MSDT is the Microsoft Support Diagnostics Tool. Whatever command is sent to the ms-msdt: URL is then executed within the Support Diagnostic Tool, effectively running untrusted code.

What is the impact?

The potential impact of this is quite limited, as whatever malicious code is being run is only ever running as the same privilege level as the currently logged in user. As I’m sure you will be following best practise and having dedicated accounts for administrative functions, your local user should be fairly contained.

How can I be affected?

This is where this particular vulnerability is a little bit nastier. Because this doesn’t rely on Macro’s to run, opening any document that has this malicious code within it will cause the code to execute. If you use the Windows File Explorer Preview Pane, you don’t even need to open the file, simply previewing it is enough.

Workaround

The quickest and simplest way to work around this is to disable/un-register the MSDT URL protocol handler within Windows. This can be done via Regedit locally, and managed through GPO or other tools such as Intune etc.

The simple process to complete this locally is to open a Command Prompt as an Administrator and run the following command to remove the protocol handling:

“reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Next Steps

If you need any assistance in understanding the impact or steps to complete the workaround/mitigation, please get in touch and one of our experts will be able to help you

Photo of Jon

Follow Jon on LinkedIn for more insights on cyber security

Share this Post:

Back to Blog

More insights from SEP2:

Blog Post Image

05/09/2025

SEP2’s ESG Committee: Building Change

Discover how SEP2’s ESG Committee is driving impactful change for a sustainable future through ethical practices and governance.

Read More
Blog Post Image

02/09/2025

The EU AI Act: What You Need to Know About Its New Rules

The EU AI Act was officially passed into law on the 1st August 2024 and is now in an implementation…

Read More
News Post Image

02/09/2025

4ugust Initiative: A People-Powered Approach to Wellbeing in Cyber Security

Last year, SEP2 introduced 4ugust – a four-day work week throughout August – to support employee wellbeing across the business….

Read More