[0-day][Officially fixed] Microsoft Windows MSDT URI Handler Vulnerability aka "Follina" / CVE-2022-30190
A 0-day in Microsoft Office / 365 Apps has been reported on Twitter and news sites.
The vulnerability and attack has been analysed and verified, it has been dubbed "Follina".
The problem lies in the handling of MSDT URI's, MSDT is a diagnostics tool.
There is currently no official solution to this vulnerability.
Users should be cautious when opening Office documents and if possible, avoid opening documents from untrusted sources.
It has been reported that deleting the MS-MSDT URI handler will prevent exploitation of this vulnerability.
Before deleting the URI handler, you can make a backup of the registry data like this:
reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt-backup.reg
And delete the URI handler like this:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
(/f forces deletion of the entry in case you want to script this, else you'll be prompted to delete it)
And to restore it, simply do:
reg import ms-msdt-backup.reg
You can find more details about the attack and vulnerability in this report:
Other interesting sources:
(30th May 2022: Updated with an extra link to Twitter and an article by Kevin Beaumont)
Microsoft has officially responded to the MSDT 0-day and confirmed it:
It has been assigned CVE-2022-30190.
It seems clear that Microsoft's stance is that this isn't an Office / 365 Apps issue, but rather a Windows vulnerability.
This doesn't change the fact, that Office and MS 365 Apps is the current known vector.
Microsoft also recommends disabling the MSDT URI handler:
Disabling this URI handler should be safe, it is rarely used. But as always, keep a backup, in case you have some third-party software that relies on this.
We will review this and may change the affected products later, but this may not happen until Microsoft releases an official fix.
Microsoft has issued official fixes for the 0-day CVE-2022-30190 / Follina:
As expected, Microsoft has classified it as a Windows vulnerability.
You can see affected systems here:
Note that it requires a recent inspection, hosts that haven't inspected since 14-06-2022 20:00 CET will not report the missing KB update.