Attackers are leveraging Follina. What can you do?

As the world is waiting for Microsoft to push out a patch for CVE-2022-30190, aka “Follina”, attackers around the world are exploiting the vulnerability in a variety of campaigns.

A complex vulnerability

Microsoft has described CVE-2022-30190 as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability, confirmed it affects an overwheming majority of Windows and Windows Server versions, and advised on a workaround to be implemented until a patch is ready.

Vulnerability analysts and security researchers have shared their own view of the complexity of the issue(s) behind that one CVE:

The wider security community has been poking and creating proof-of-concept exploits for the flaw, as well as converting MSDT exploits so they can be used with other protocol handlers for a different kind of attack.

Attacks in the wild

After the attacks spotted in April and May, which revealed the existence of the flaw and its active exploitation to the wider security community, reports soon started trickling in about other campaigns leveraging it across the globe:

What can defenders do until patches are released?

We have already mentioned Microsoft’s advice, which involves disabling the MSDT URL protocol.

ACROS Security has released free micropatches for various editions of Windows and Windows Server, to be used via their 0patch agent.

SANS Senior Instructor Jake Williams recently answered plainly a number of questions regarding Follina, possible mitigations, and how to detect exploitation attempts.

Security companies have been adding signatures and rules for detecting malicious documents exploiting CVE-2022-30190, as well as providing general advice.

Don't miss