Workarounds for Microsoft Office Zero-Day RCE Vulnerability “Follina” has Released

The Follina zero-day vulnerability in Microsoft Office allows threat actors to perform remote code execution. Cybersecurity researchers discovered the vulnerability when the Word document “05-2022-0438.doc” was uploaded to VirusTotal from an IP address in Belarus.

Independent researcher nao_sec discovered Follina on May 27.

Microsoft Windows Support Diagnostic Tool (MSDT) RCE vulnerability with code CVE-2022-30190 is risky with a CVSS score of 7.8.

PoC on GitHub

According to Kevin Beaumont, who named the vulnerability “Follina” because “0438” at the end of the malicious Word file is the area code for the municipality of Follina in Treviso, Italy, the Word document uses the remote template feature to retrieve an HTML file from a remote server. It uses the ms-msdt MSProtocol URI scheme to load some code and execute PowerShell.

Beaumont says the vulnerability goes back more than a month. Underlining that the Word file named “interview invitation” targeting a user in Russia under the name of Sputnik Radio was uploaded to VirusTotal, the researcher states that this document directly exploits the Follina vulnerability.

In Microsoft’s statement, threat actors who exploit the vulnerability gain opportunities such as RCE, installing random programs, being able to view, modify or delete data, and creating new accounts.

The PoC on the actively exploited Follina zero-day vulnerability has also been published. You can find the relevant repository on GitHub here.

Microsoft Releases Workarounds for Follina Vulnerability

Microsoft has released additional guidance to mitigate the vulnerability affecting Office 2013, 2016, 2019, 2021, and Professional Plus versions. Customers are strongly encouraged to follow the precautions suggested in this guide.

Additionally, customers can implement Microsoft Attack Surface Reduction measures.

Cybersecurity researcher Florian Roth and his team also created YARA rules to detect some documents exploiting the Follina vulnerability and shared it on Roth’s Twitter account.