A new zero-day remote code execution bug has been found in Microsoft Office.

This was first picked up by security researcher Kevin Beaumont and has been named Follina. It has a CVE-2022-30190, and Microsoft have published an advisory and a blog.

What is the bug?

A file can be embedded with some internet hosted content, which these days is fairly normal.

In case of a malicious file, the content is downloaded and then in turn accesses more active content. Now instead of trying to access a http: or https: link, it makes reference to a link starting with msdt:

In Windows, “ms-msdt:” is a URL type that has an automatically associated handler to open the MSDT software toolkit. MSDT is the Microsoft Support Diagnostics Tool. Whatever command is sent to the ms-msdt: URL is then executed within the Support Diagnostic Tool, effectively running untrusted code.

What is the impact?

The potential impact of this is quite limited, as whatever malicious code is being run is only ever running as the same privilege level as the currently logged in user. As I’m sure you will be following best practise and having dedicated accounts for administrative functions, your local user should be fairly contained.

How can I be affected?

This is where this particular vulnerability is a little bit nastier. Because this doesn’t rely on Macro’s to run, opening any document that has this malicious code within it will cause the code to execute. If you use the Windows File Explorer Preview Pane, you don’t even need to open the file, simply previewing it is enough.

Workaround

The quickest and simplest way to work around this is to disable/un-register the MSDT URL protocol handler within Windows. This can be done via Regedit locally, and managed through GPO or other tools such as Intune etc.

The simple process to complete this locally is to open a Command Prompt as an Administrator and run the following command to remove the protocol handling:

“reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Next Steps

If you need any assistance in understanding the impact or steps to complete the workaround/mitigation, please get in touch and one of our experts will be able to help you