Microsoft Patches Actively Exploited Follina Windows zero-day
Microsoft has released security updates with the June 2022 cumulative Windows Updates to address a critical Windows zero-day vulnerability known as Follina and actively exploited in ongoing attacks.
“Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action,” Microsoft said in an update to the original advisory.
“Microsoft recommends installing the updates as soon as possible,” the company further urged customers in a post on the Microsoft Security Response Center.
Tracked as CVE-2022-30190, the security flaw is described by Redmond as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug that affects all Windows versions still receiving security updates (i.e., Windows 7+ and Server 2008+).
Attackers who successfully exploit this zero-day can execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, and even create new Windows accounts as allowed by the compromised user’s rights.
As security researcher nao_sec found, Follina exploits allow threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents.
While applying today’s updates does not prevent Microsoft Office from automatically loading Windows protocol URI handlers without user interaction, it blocks PowerShell injection and disables this attack vector.
In the wild exploitation
The Follina security vulnerability has been exploited in attacks for a while by state-backed and cybercrime threat actors with various end goals.
As Proofpoint security researchers revealed, the Chinese TA413 hacking group exploited the bug in attacks targeting the Tibetan diaspora. In contrast, a second state-aligned threat group used it in phishing attacks against US and EU government agencies.
Follina is now also being abused by the TA570 Qbot affiliate in ongoing phishing campaigns to infect recipients with Qbot malware.
In light of Microsoft reporting active exploitation of the bug in the wild, CISA has also urged Windows admins and users to disable the MSDT protocol abused in these attacks.
Shadow Chaser Group’s CrazymanArmy, the security researcher who reported the zero-day to Microsoft’s security team in April, said the company rejected his initial submission as not a “security-related issue.”
However, according to the researcher, Redmond’s engineers later closed the bug submission report with a remote code execution impact.