Follina: Attacks via Office Files

The CVE-2022-30190 vulnerability, known as Follina, is currently one of the most serious security vulnerabilities. It enables attackers to exploit the Windows Support Diagnostics Tool directly through Microsoft Office. The fact that this bug has not yet been patched makes the vulnerability particularly alarming: Office is a widely used application, making it an attractive target for cybercriminals.

What Is the Follina Vulnerability aka CVE-2022-30190?

The CVE-2022-30190 vulnerability resides in the Microsoft Windows Support Diagnostics Tool (MSDT). While this may seem negligible at first glance, it provides cybercriminals with an active attack vector. The reason lies in the tool's implementation, which can be exploited through manipulated Microsoft Office files. This affects not only classic MS Word documents but also other file types.

How Does the Attack via Office Files Work?

A typical attack using Microsoft software works as follows: The attacker creates a malicious document by embedding harmful code in a Microsoft Office file. This file is then sent to potential victims, most commonly as an email attachment. Targeted social engineering often precedes the attack to ensure the email content is compelling enough that you open the attachment.

If you fail to recognize the message as malware, you open a file containing malicious code. This could be a link to an HTML file or JavaScript code, which in turn executes via MSDT.

The result: Attackers can install programs as part of their exploit, or they can view, modify, and destroy data.

Attacks via CVE-2022-30190 Are Widespread

Office products have been in use long before the cloud transformation: for many people, they are an integral part of daily (work) life. This makes the zero-day vulnerability all the more dangerous, as it offers cybercriminals enormous attack potential. Some attackers simply want to cause disruption, while others systematically steal credentials and information to sell on.

What makes Follina particularly dangerous is how easy it is to exploit. This makes it an ideal vehicle for spreading malware and exfiltrating data.

As a user, you only need to download the manipulated Microsoft Office document, not even open it. Simply previewing it in Windows Explorer is enough to activate the malicious code. This makes it critical to recognize suspicious emails early and take immediate security measures. Regular penetration testing for SMBs also helps you stay on top of your IT security posture.

These Microsoft Products Are Affected by Follina

The value of a well-designed security concept has been known long before Follina. The Log4j zero-day vulnerability and PrintNightmare already caused significant concern. Now CVE-2022-30190 further underscores that reliable incident response management is essential in any organization, given the vast number of Microsoft Office users.

Unfortunately, the hope that the vulnerability would only affect certain versions of Microsoft products did not materialize. Since the attack targets MSDT, it can be exploited on all commonly used Windows operating systems. These include:

• All Microsoft Windows versions from version 7 onwards.
• All server versions from Windows Server 2008
• All Microsoft Office applications
  The absence of a clear limitation to specific products demonstrates just how critical the vulnerability is. It offers enormous potential for cyberattacks, which becomes even more severe in the context of cloud transformation. Nevertheless, classic Word files remain the primary attack vector.

BSI and Microsoft Increase Their Risk Assessment

While Microsoft still classified the vulnerability as "not security relevant" on April 12, 2022, the situation has since changed significantly. The Microsoft Security Response Center now rates it 7.8 out of 10. This severity upgrade was accompanied by Microsoft announcing work on a security update.

The BSI (German Federal Office for Information Security) also recognized the danger and declared warning level 3 on May 31, 2022. This is the second-highest level, signifying a business-critical IT threat with massive disruptions to regular operations.

What Has Microsoft Done So Far?

Microsoft has since acknowledged the danger posed by the vulnerability. However, no date for a security update has been set. In the meantime, Microsoft and the BSI recommend temporarily disabling the MSDT URL protocol handlers.

What Makes the Follina Vulnerability So Treacherous

The particularly treacherous aspect of this vulnerability is the direct invocation of MSDT. Using specific parameters, attackers can remotely load and execute code through the URI handler. As noted above, you do not even need to open the Word file for this to occur.

Documents Cause Damage Even When Unopened

One of the greatest dangers of this vulnerability is that even unopened files can cause damage. This applies not only to Word formats but also to RTF documents. Both can be loaded with malicious code by cybercriminals. Opening the file is not required to execute the payload; simply previewing it in Explorer is sufficient.

For network drive users, this poses an additional risk: as soon as someone stores the document in a shared folder and another user opens that folder, everyone with preview enabled is affected.

Previous Solutions from Microsoft Are Not Sufficient

Unfortunately, Microsoft has not yet released a fix for the CVE-2022-30190 vulnerability. The only available resource is a Guidance Support document explaining how to mitigate the issue. The Follina vulnerability, known since April, therefore remains an open risk for countless organizations.

How Companies Can Protect Themselves Against Follina

Microsoft's official remediation efforts provide hope that a permanent patch will be available soon. Until then, it is essential to keep potential security risks in check through a robust security concept and regular pentests. One of the most important countermeasures at present is to sever the connection between the MSDT.EXE utility and ms-msdt: URLs.

Microsoft recommends disabling the MSDT URL protocol. This requires administrator privileges. The command is reg delete HKEY_CLASSES_ROOT\ms-msdt.

Before executing it, back up the registry so you can restore the original state once the workaround is no longer needed.

Also important: Exercise even greater caution than usual with email attachments, especially when they contain Microsoft documents. Regardless of current vulnerabilities, regular static code analysis as a software testing practice is an important step toward improving your overall IT security.

Conclusion: Still Waiting for a Permanent Patch

A permanent patch for the Follina vulnerability is not yet in sight. Since the vulnerability was disclosed as early as March and April 2022, the absence of a patch is cause for concern. Once one becomes available, you should apply it immediately.

Yet even this outlook is not enough: most organizations will sooner or later face an attack they must manage. In such emergencies, having a functioning incident response management system in place is essential.

A solid security concept, regular penetration testing for SMEs, and static code analysis all help mitigate the risks. After all, vulnerabilities like Log4j, PrintNightmare, and Follina can resurface at any time.

Thorough preparation for such incidents is therefore indispensable. Expert-led training in particular prepares you and your team, showing you what matters most when an emergency arises.