The Follina remote code execution (RCE attacks) vulnerability in the Microsoft Support Diagnostic Tool (MSDT) was first widely publicized on May 27, 2022. The exploit code for this vulnerability involved a remote attacker using a Microsoft Office document to execute arbitrary code via the MSDT executable.
On May 30, 2022, Microsoft issued an advisory to CVE-2022-30190 for almost all versions of Windows OS going as far back as Windows 7 with the guidance that users should disable MSDT. Microsoft patched this vulnerability in its June 2022 patches.
Even though this vulnerability is described as an RCE, the CVSS Attack Vector is tagged as “Local”. This could be confusing but since the attack was triggered by a remote attacker, hence the RCE designation. To be super precise, this attack is better labeled as an “Arbitrary” Code Execution attack instead of a “Remote” Code Execution attack.
The vulnerability in the MSDT involved an attacker dispatching a malicious link to a Microsoft Office document to an intended victim. Upon download of the maliciously crafted document, additional content from an arbitrary remote server specified in the maliciously constructed document is also downloaded. If the size of the downloaded content were large enough, it would cause a buffer overflow, allowing a payload of PowerShell code to be executed by the afore-mentioned MSDT with no notification to the user.
Microsoft Windows 10 and Windows Server 2019 provide a registry-based means to disable the ms-msdt protocol that triggers the MSDT vulnerability. Microsoft also issued a series of threat feeds for its Defender Suite consisting of Defender Antivirus, EDR, Server & Office 365 products.
Given the long history of this vulnerability, this must have been a gift to adversaries, though we only hear it to have been active since March 2022 in the Philippines, Russia, and India.
How Virsec Protects Against the Follina Exploit
Virsec’s solution has been demonstrated to protect against Follina by detecting and stopping MS Word from spawning any unexpected processes and along several steps of the attack chain.
Below is a series of graphics illustrating the attack kill chain during the process of stopping Follina CVE:
Virsec protects the exploit, reports it, and stops MS Word from spawning any processes that are not intended.
Virsec protects victims in later stages if the attacker tries to run a command or malware on the machine.