Locked CVE-2022-30190 aka Follina

[theadepti]

How does Follina or any such exploit make use of the Diagnostics to enter the system?

[dEEpEst]

How attackers exploit the CVE-2022-30190 vulnerability

 

As an example of an attack, the researchers who discovered it describe the following scenario: Attackers create a malicious MS Office document and somehow deliver it to the victim. The most common way to do this is via an email with a malicious attachment, embellished with some classic social engineering trick to convince the recipient to open the file. Something like: “Urgently review the contract, it will be signed tomorrow morning” usually works.

 

 The infected file contains a link to an HTML file containing JavaScript code that executes malicious code on the command line via MSDT. When the exploit is successful, the attackers gain control to install programs, view, modify or destroy data, as well as create new accounts - that is, do everything that the victim's privileges on the system allow.

 

How to protect yourself

 

Wait for the patch. In the meantime, Microsoft recommends disabling the MSDT URL protocol. To do this, you must run a command line with administrator rights and run the command

This is the hidden content, please

• Sign In
• or
• Sign Up

Before doing this, it is recommended to backup the registry by running

This is the hidden content, please

• Sign In
• or
• Sign Up

This way, you can quickly restore the registry with the

This is the hidden content, please

• Sign In
• or
• Sign Up

command when this solution is no longer needed. However, this is only a temporary fix and as soon as it is available, you will need to install the update that closes the Follina vulnerability.

 

Detecting the Follina Exploit 

 

Mitigation 

Is there an update available to address this vulnerability?

• Yes, the updates are available. Microsoft recommends installing the June updates as soon as possible.

This is the hidden content, please

• Sign In
• or
• Sign Up