I just met a vuln named Follina

May 31, 2022
Justin Hall
Director Security Services

Happy summer, everyone! To celebrate, there’s a new Microsoft Windows zero-day vulnerability, currently classified by NVD as CVE-2022-30190, and nicknamed by the community as Follina. It exploits a flaw in the Microsoft Support Diagnostic Tool (MSDT) that uses the tool’s special protocol handler configuration to retrieve and execute arbitrary code from a remote system.

As a reminder to the newer folks on the scene, a vulnerability is classified as a “zero day” if the creator of the vulnerable product becomes aware of the vulnerability’s existence when an exploit for the vulnerability is made public.

Those are fun because it means:

  • The vendor has to hustle to understand the vulnerability and develop both workarounds and a patch.
  • There’s a chance this vulnerability has been in use by attackers for a while, but none of our security controls were able to detect it. It’s like finding a spy cam in your house—how long has it been there? Who put it there? How’d they get in? It’s really unsettling!

We’ve talked about this before—what happens when you’ve got a vulnerability in your systems, but no patch? How does your vulnerability management program handle it? In this case, the attack observed by researchers is triggered by a malicious Office document, which executes the MSDT call to grab the attacker’s code and run it. This is problematic—like most businesses, our organization tosses around Office documents like monkeys toss around bananas (that’s apocryphal; I have no idea if monkeys wantonly toss around bananas).

How do you solve a problem like Follina?

If there’s no patch currently, organizations are vulnerable by default, at least until the anti-malware controls deployed at the network and endpoint layers are updated to detect the exploit. Our first recommendation is to contact your security vendors and ask if they have rolled out, or are planning to roll out, detection or prevention for this attack. Mention Follina or CVE-2022-30190.

So, while we’re waiting for those updates, we still have to operate our business. It’s helpful to consider a workaround. Microsoft has released a bulletin describing a workaround for Follina that can be deployed to disable the MSDT protocol handler. To use this workaround, your organization needs to be able to implement configuration changes on your assets across the entire enterprise. Many companies depend on Group Policy Objects to do this, but that approach is often difficult if you have a remote workforce that isn’t checking in with your Active Directory daily.

Our second recommendation, therefore, is to use a mobile device management solution that can remotely control, implement configuration changes, and install software and updates to your fleet of workstations and mobile devices no matter where they are. There’s a larger problem here, though, that goes beyond this vulnerability. Attackers deliver malicious files to our users all the time—as e-mail attachments, or from malicious websites, or through social networks. What if we can’t tell at a glance if a document is benign or malicious? How can our organization defend against dangerous documents when receiving documents from third parties is a normal, everyday part of our business processes?

Something’s coming: treat it like a threat

Our third recommendation is to assume every document is dangerous. Each one needs to be evaluated before we can allow a user to interact with it—especially if the document originated from outside our organization.

Reputational and behavioral detection can often locate malicious files even if a signature doesn’t exist yet, and can be implemented everywhere these documents enter your environment—from the web, e-mail, or physical media. That means that these controls need to be enforced wherever your users sit, including remote locations that may be outside the on-premises network of your LAN.

You may also consider controls that can sanitize potentially dangerous documents as they flow to the end-user, or provide isolation features that protect the user’s workstation during e-mail and web browsing.

Finally, blocking the download of specific file types—through e-mail and web traffic—that are considered risky is a common tactic. Stripping Office documents from e-mails that originate from the Internet might be a controversial move but could be implemented temporarily during “times of crisis”, i.e., when a vulnerability like this is being exploited in the wild but no patch is available. And if there are certain file types you know you’ll never need to receive—RTF documents, XLSM sheets, etc.—those can be blocked without much impact.

So, as always, keep an eye on the bulletin from Microsoft for a patch to test and roll out to your population; keep an eye on your defenses, to look for suspicious activity; and keep an ear to the community, in case new vulnerabilities or methods of exploitation are discovered. Need help with your cyber defense? Contact the CBTS cybersecurity team today.

Subscribe to our blog