Get Support

Call us:
0330 043 7372

Get Support

Published: 31/05/22

Follina – Zero day exploit in MS Office – workaround instructions

A new zero-day remote code execution bug has been found in Microsoft Office.

This was first picked up by security researcher Kevin Beaumont and has been named Follina. It has a CVE-2022-30190, and Microsoft have published an advisory and a blog.

What is the bug?

A file can be embedded with some internet hosted content, which these days is fairly normal.

In case of a malicious file, the content is downloaded and then in turn accesses more active content. Now instead of trying to access a http: or https: link, it makes reference to a link starting with msdt:

In Windows, “ms-msdt:” is a URL type that has an automatically associated handler to open the MSDT software toolkit. MSDT is the Microsoft Support Diagnostics Tool. Whatever command is sent to the ms-msdt: URL is then executed within the Support Diagnostic Tool, effectively running untrusted code.

What is the impact?

The potential impact of this is quite limited, as whatever malicious code is being run is only ever running as the same privilege level as the currently logged in user. As I’m sure you will be following best practise and having dedicated accounts for administrative functions, your local user should be fairly contained.

How can I be affected?

This is where this particular vulnerability is a little bit nastier. Because this doesn’t rely on Macro’s to run, opening any document that has this malicious code within it will cause the code to execute. If you use the Windows File Explorer Preview Pane, you don’t even need to open the file, simply previewing it is enough.

Workaround

The quickest and simplest way to work around this is to disable/un-register the MSDT URL protocol handler within Windows. This can be done via Regedit locally, and managed through GPO or other tools such as Intune etc.

The simple process to complete this locally is to open a Command Prompt as an Administrator and run the following command to remove the protocol handling:

“reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Next Steps

If you need any assistance in understanding the impact or steps to complete the workaround/mitigation, please get in touch and one of our experts will be able to help you

Photo of Jon

Follow Jon on LinkedIn for more insights on cyber security

Share this Post:

Back to Blog

More insights from SEP2:

Blog Post Image

01/07/2025

What is ‘Identity’ in Cyber Security? It’s Not Who You Say You Are

AI-Driven Identity Attacks in 2025 At the beginning of 2025, I was asked to share my thoughts on the main threats we…

Read More
Tech Tips Post Image

20/06/2025

Tech Tip: New Check Point Compliance Blade Standards Released

Check Point have just released a new update for their Compliance Blade for the following standards: ✅ NIST 800-171 Revision…

Read More
Blog Post Image

19/06/2025

A Smarter Approach to Threat Intelligence: Solving the “Bakery Problem”

The “Bakery Problem” Ask a room of security professionals to define “threat intelligence” in a few words and you’ll most…

Read More

Get the Latest

Wingman Insights

Photo of Paul Starr

Stay in the know with the latest in cyber security, subscribe to our newsletter to get monthly insights from SEP2’s industry experts delivered straight to your inbox

Name(Required)