Zero day in office – but don’t panic

Topic

New Reply

Microsoft Releases Workaround Guidance for MSDT “Follina”; Vulnerability 05/31/2022 11:11 AM EDT Original release date: May 31, 2022 Microsoft has rel
[See the full post at: Zero day in office – but don’t panic]

Susan Bradley Patch Lady

9 users thanked author for this post.

oldfry, GreatAndPowerfulTech, fk5353, Ricard, lmacri, Kobac, jburk07, NaNoNyMouse, NetDef

Reply | Quote

Replies

If you have MS Office (any current version) on Windows – I might suggest taking some aggressively proactive prevention steps. (See Susan’s post above.)

Two new factors:

1) .LNK files are also able to call this vuln.

2) Renaming a word document to .RTF can cause this vuln to trigger on file preview in File Explorer. No file opening needed.

 

~ Group "Weekend" ~

Reply | Quote

More generally speaking, how can I list and manage URI handlers in Windows?

Reply | Quote

Does this help?  The List of URI Commands to launch Windows 10 Apps (winaero.com)

Susan Bradley Patch Lady

2 users thanked author for this post.

pmbinc, Lars220

Reply | Quote

The group policy solution cautions that if used the policy will disable a user’s ability to run .diagcab files.  So presumably this would impact those of us that depend on wushowhide.

Does the registry fix have the same side effect?

1 user thanked author for this post.

Lars220

Reply | Quote

EricB wrote:

Does the registry fix have the same side effect?

No.

Just verified wushowhide still works after applying the registry fix.

4 users thanked author for this post.

Ricard, jburk07, Lars220, EricB

Reply | Quote

@Susan Bradley said:

“Group policy fix – Just disable “Troubleshooting wizards” by GPO  see the location here:”

Unless I’m missing something, this does not open to a GPO setting location or guidance.  Seems more like a registry location?

Can someone provide the GPO location and setting value?

Also, per @EricB’s question above, does the GPO setting interfere with wushowhide?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

https://www.windows-security.org/3976dadfa886f59530253645ab50ec61/configure-security-policy-for-scripted-diagnostics

It is indeed a group policy setting.

Policy path:

System\Troubleshooting and Diagnostics\Scripted Diagnostics

Susan Bradley Patch Lady

1 user thanked author for this post.

Tex265

Reply | Quote

Thank you, I can follow that path.

Question, if I am reading that path link properly, it appears that GPO setting is creating/setting a Registry entry that is different than the one you and MS are showing for a  manual registry entry.

If so, why?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Did you disable the policy there for Troubleshooting Wizards or one of the others?

Reply | Quote

@sb

It is indeed a group policy setting.

System\Troubleshooting and Diagnostics\Scripted Diagnostics

I further just noticed that your original instructions said to disable “Troubleshooting wizards”,   this new link is to “Scripted Diagnostics”.

Which GPO is it?   and

Tex265 wrote:

Question, if I am reading that path link properly, it appears that GPO setting is creating/setting a Registry entry that is different than the one you and MS are showing for a manual registry entry. If so, why?

  and

Tex265 wrote:

Also, per @EricB‘s question above, does the GPO setting interfere with wushowhide?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

I believe this is correct.

Group Policy:
Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Scripted Diagnostics\
Troubleshooting: Allow users to access and run Troubleshooting Wizards = Disabled

Registry:
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\
EnableDiagnostics = 0

3 users thanked author for this post.

jburk07, Ricard, Tex265

Reply | Quote

Thanks for the clarification PK.

Does the GPO setting interfere with wushowhide functioning properly? (I’m reluctant to experiment in the event it would trigger a download on hold).

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Sorry, haven’t tried it yet. Standby.

EDIT:

Answer is YES. I get “An error occurred while troubleshooting” and the explanation: “Troubleshooting has been disabled in Group Policy.”
So I assume the Registry entry has the same effect if you don’t use GP.

2 users thanked author for this post.

jburk07, Tex265

Reply | Quote

Answer is YES

Reply | Quote

That makes the GPO option useless for many of us.

Looks like it’s the MS suggested registry edit or nothing pending an actual patch.

(Or the Opatch item?)

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

The GPO description does not have to match the actual registry key. GPO setting and manual registry will be the same key.
Use whichever you find easier.

cheers, Paul

Reply | Quote

Actually, they’re not the same.

The GPO setting effects registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics

The Microsoft “suggested” edit effects registry key HKCR\ms-msdt

They also operate differently.

The GPO setting prevents all .diagcab files from running.

The “suggested” edit stops embedded code from remotely running the exploit but still allows .diagcab files (like wushowhide) to be run locally via Windows Explorer or a shortcut (see my #2450259 post.)

Reply | Quote

0patch Pro also just put out their micropatchs for Folina

1 user thanked author for this post.

Alex5723

Reply | Quote

https://blog.0patch.com/

by Mitja Kolsek, the 0patch Team

…Our Micropatch

It would be by far the simplest for us to just disable msdt.exe by patching it with a TerminateProcess() call. However, that would render Windows diagnostic wizardry inoperable, even for non-Office applications. Another option was to codify Microsoft’s recommendation into a patch, effectively disabling the ms-msdt: URL protocol handler.

But when possible, we want to minimize our impact outside of removing the vulnerability, so we decided to place our patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a “$(” sequence – which is necessary for injecting a PowerShell subexpression. If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running…

** Much better solution than Microsoft’s workaround.
Couldn’t the geniuses at Microsoft come with a similar solution ?

2 users thanked author for this post.

GreatAndPowerfulTech, jburk07

Reply | Quote

Susan Bradley wrote:

That said if you do want to proactively protect yourself ….

This MSDT exploit is also prevented (without disabling troubleshooting wizards) by the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” which you recommended to all Office users (with instructions for Pro and Home) in the AskWoody Plus Newsletter eight months ago:

If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.

Rapid Response: Microsoft Office RCE – “Follina” MSDT Attack

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

Reply | Quote

This doesn’t help users like me that don’t use Office nor defender.
0Patch fix is more elegant and applies to all Windows users.

1 user thanked author for this post.

GreatAndPowerfulTech

Reply | Quote

The “vulnerability exists when MSDT is called using the URL protocol from a calling application”
To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ? What applications could call MSDT ? Is this likely to be one of those threats that in reality will only be used against organisations ?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Attackers are currently using this in targeted attacks. It’s not widely exploited (yet) at this time.

Susan Bradley Patch Lady

1 user thanked author for this post.

samak

Reply | Quote

I disabled it in GPO. When should I enable it again?

Reply | Quote

When it’s patched.  I’ll let you know.

Susan Bradley Patch Lady

Reply | Quote

Hi Susan. Is the patch for this in June updates?  Or are we still waiting…….

Just want to know if I can change GP Edit back to original settings. thanks! Donna

Reply | Quote

dmt_3904 wrote:

Is the patch for this in June updates?

Yes:

On Tuesday June 14, 2022, Microsoft issued Windows updates to address this vulnerability.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability [See FAQ 2.]

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

1 user thanked author for this post.

dmt_3904

Reply | Quote

samak wrote:

To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ?

The hack can happen if you open/preview a Word document in LibreOffice, Windows explorer…

1 user thanked author for this post.

samak

Reply | Quote

LibreOffice does not have this bug as far as I can tell.

Where have you found information confirming that the bug is present in LibreOffice?

cheers, Paul

Reply | Quote

Libreoffice uses VBA if not turned off? Is under Options>Load/Save. Default all checked?

Reply | Quote

The post was updated on 6/1 to caution about abuse of the search protocol.  Is this a different exposure/exploit?  I haven’t seen anything from Microsoft about this and their guidance about msdt.exe has not been updated.

Reply | Quote

EricB wrote:

The post was updated on 6/1 to caution about abuse of the search protocol.  Is this a different exposure/exploit?

This is a different method to utilize exposure/exploit

https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/

A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document.

The security issue can be leveraged because Windows supports a URI protocol handler called ‘search-ms’ that allows applications and HTML links to launch customized searches on a device.

While most Windows searches will look on the local device’s index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window…

2 users thanked author for this post.

Pim, EricB

Reply | Quote

Alex5723 wrote:

samak wrote:

To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ?

The hack can happen if you open/preview a Word document in LibreOffice, Windows explorer…

0Patch : “it doesn’t matter which version of Office you have installed, or if you have Office installed at all. The vulnerability could also be exploited through other attack vectors. That is why we also patched Windows 7, where the ms-msdt: URL handler is not registered at all“.

2 users thanked author for this post.

LHiggins, GreatAndPowerfulTech

Reply | Quote

Very curious. Attempting to backup the ms-msdt entry results in an error message that it cannot be found and sure enough, it’s not listed in the registry. This is on a Win7 system by the way, does anyone else not see it? So to speak. Neither does the ScriptedDiagnostics entry exist for me but i just assumed that’s only for newer Windows versions. However, the search-ms entry is present in the correct location. It’s another reminder to not open anything one doesn’t recognise, same as it ever was.

Edit: Actually, regarding ScriptedDiagnostics – i have had the troubleshooting wizard in action centre disabled for years so maybe that’s why it’s not listed.

Edit2: I noticed a number of users over on the ArsTechnica article also don’t have the ms-msdt registry key – https://arstechnica.com/information-technology/2022/05/code-execution-0day-in-windows-has-been-under-active-exploit-for-7-weeks/

Some saying the key only exists if Office is installed or specific versions of Office even though the software is present on the system. I have never had any version of Office installed so maybe that’s why.

Reply | Quote

Would disabling the Windows Search service be enough by itself to stop the search exploit?

Or would the registry key still need to be removed as well?

Reply | Quote

Just tested this and, according to the info shown on beeping computer site on how to test this vulnerable, neither each one singularly nor both together actually stop it from happening!

(i.e., search-ms:query=proc&crumb=location:??? still pops up an Explorer window showing the search results.)

 

Reply | Quote

Moonbeam, I disabled Win search when Win 10 was introduced. The registry key was removed.

Peace, CAS

Reply | Quote

Anon 2 here. Win 10 Pro, 21H2 , GP edits as per this site, winshowhide. It appears from Bleeping article, that it impacts opening any doc saved as .word or .rtf. I use Libreoffice (no Office here). I must search, open & work on saved as .word docs.

And the above replies suggest that neither GPO or reg “fix’  work. And mess with winshowhide. So what to do?

Note: the 2nd ‘comment’ in bleeping article suggests a PC running a  ‘local admin’ acct as even more susceptible. My PC is set up as Local only. I have both local Admin and use a User account, except when installing programs.

I post this for others further ref on this topic https://nakedsecurity.sophos.com/2022/05/31/mysterious-follina-zero-day-hole-in-office-what-to-do/

No experience with Opatch. If I download and install, how to select & have it patch only this, or does it do all their patches? Can they be undone, program deleted after M/S gets it sorted without affecting o/s integrity? Any latest direction on steps?

Reply | Quote

Further fodder for the coffers, ( you are prob atop of this):

’search-ms’:  Remember that remote filenames aren’t as obvious as web links. “We won’t be surprised if other proprietary Windows URLs make the cybersecurity news over the next few days or weeks, pressed into service for devious or even directly destructive purposes by cybercriminals, or simply just uncovered by researchers trying to push the limits of the system as it stands.”  https://nakedsecurity.sophos.com/2022/06/02/yet-another-zero-day-sort-of-in-windows-search-url-handling/

No ‘panic’, but what to do?

 

Reply | Quote

First off understand that this is a “get more rights” type of attack that will be more targeted than used in widespread attacks.  I would use the ASR rules

“If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.”

Susan Bradley Patch Lady

Reply | Quote

Susan Bradley wrote:

First off understand that this is a “get more rights” type of attack that will be more targeted than used in widespread attacks. I would use the ASR rules…

Hi Susan:

I have a Win 10 Pro v21H2 OS and MS Office 2019 Home and Business C2R. Is the method described in your CSO article How to Use Windows Defender Attack Surface Reduction Rules the appropriate way to enable the “Block Office application from creating child processes” rule on my system, namely:

• Open the Local Group Policy Editor [open a Run dialog box (Windows key + R) and enter gpedit.msc]
• Go to Computer Configuration | Administrative Templates | Windows Components | Microsoft Defender Antivirus | Microsoft Defender Exploit Guard [or Windows Defender Exploit Guard (old name) | Attack Surface Reduction
• Double-click on Configure Attack Surface Reduction Rules in right pane and change “Not Configured” to “Enabled”
• Under Options, click the Show… button beside “Set the state for each ASR rule“.
• Enter D4F940AB-401B-4EFC-AADC-AD5F3C50688A for the GUID and set the Value to “1” to block.

Is there a simpler way to do this with Win 10 Pro (e.g., from Windows Security | App & Browser Control | Exploit Protection | Exploit Protection Settings | System Settings) that I haven’t figured out yet?  If not, is creating this this “Block Office application from creating child processes” ASR rule enough to block the MSDT “Follina” vulnerability until Microsoft releases a patch, or is the registry edit in Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability still recommended?

I recall you discussing this Advanced Surface Reduction (ASR) rule several months ago in a  previous AskWoody article or newsletter but couldn’t find it today and just happened to stumble across your CSO article during a Google search.
———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1706 * Firefox v101.0.0 * Microsoft Defender v4.18.2203.5-1.1.19200.5 * Malwarebytes Premium v4.5.9.198-1.0.1689 * MS Office 2019 Home and Business Version 2205 (Build 15225.20204 Click-to-Run)

Reply | Quote

lmacri wrote:

I recall you discussing this Advanced Surface Reduction (ASR) rule several months ago in a  previous AskWoody article or newsletter but couldn’t find it today and just happened to stumble across your CSO article during a Google search.

The same instructions are in ISSUE 18.39 • 2021-10-11 under “Becoming more security-aware“.

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

1 user thanked author for this post.

lmacri

Reply | Quote

https://github.com/hemaurer/MDATP_PoSh_Scripts/raw/master/ASR%20GUI/ASR_Rules_PoSh_GUI.exe  Try that tool.  It makes it way easier.

Susan Bradley Patch Lady

Reply | Quote

Just disable “Troubleshooting wizards” by GPO
Execute the command “reg delete HKEY_CLASSES_ROOT\search-ms /f”..

What next to disable / delete ? Windows OS ? /s

Reply | Quote

First off this threat is really more for large targeted enterprises.  It’s not an attack sequence being used against standalone machines.  Next if you ARE a large enterprise, then you should be doing several Attack surface reduction rules now like this “block office from ….”

Every platform can be abused, the real question comes down to — are YOU at risk from that attack?

Susan Bradley Patch Lady

Reply | Quote

https://twitter.com/wdormann/status/1532727165661458432?s=11&t=mxKvVkgdD-sO1WYBGNl6MQ

“In my limited testing, the original DOCX format version of the exploit doesn’t work on a Current Channel Office with Feb 2022 updates, yet RTF works against everything.”

Susan Bradley Patch Lady

Reply | Quote

So is use the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”  still the best advice?

FMI, what is the purpose of the  “/f ” at the end of the command?

I assume you could also enter the registry and manually delete the key?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

From MS:

Deletes the existing registry subkey or entry without asking for confirmation.

Susan Bradley Patch Lady

Reply | Quote

Tex265 wrote:

So is use the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”  still the best advice?

FMI, what is the purpose of the  “/f ” at the end of the command?

I assume you could also enter the registry and manually delete the key?

No.

The best advice is to install 0Patch fix and retain ms-msdt / troubleshooting.

https://www.askwoody.com/forums/topic/zero-day-in-office-but-dont-panic/#post-2450308

3 users thanked author for this post.

Cybertooth, Geo, LHiggins

Reply | Quote

Do you know if the free version will work on Win 10 Pro 21H2 with GP edits ie WU set to “2, and other GP stgs etc, winshowhide? Do you install via local admin acct or user? If thru admin, does that account have to be constantly logged in? Like you, I use Libreoffice, and use another non-Defender a/v. Pls advise, thank you.

Reply | Quote

0patch Pro has been turning out micro patch’s daily  for follina.

1 user thanked author for this post.

Cybertooth

Reply | Quote

I am confused. I don’t have the background knowledge to fill in the blanks about how these attacks work.

Is this blog alert talking about two separate vulnerabilities that have no relationship to one another, i.e.,
a) remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows.
b) the abuse of URI (whatever that is) for search

Or are they related? If if they are related, is there one fix for one of them and another fix for the other one? Or is there one fix for both of them?

As for a) and “Troubleshooting wizards”, I often use a Troubleshooting wizard to diagnose my network connections when synchronizing my two machines via private network. Sometimes I think they are connected, but they aren’t, so this wizard diagnoses and fixes the problem. It looks like the “Troubleshooting wizards” solution is out for me, if I want to continue to be able to let a Troubleshooter diagnose and fix this network problem that occasionally occurs.

I use WUSHOWHIDE (and @Alex5723, I don’t really want to figure out how to use WUMgr) and if I read the comments here, one of the fixes {either the GPO fix for a) or the fix for b)} prevents WUSHOWHIDE from working. I am not sure which of the vulnernabilities involves WUSHOWHIDE and if it is a), then do I understand that the GPO fix will interfere with WUSHOWHIDE, but the registry fix for a) will not?? And that the registry fix will also not interfere with “Troubleshooting wizards”?

b’s suggestion to use the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” recommended by Susan for all Office users at October 11, 2021 Issue 18.39 won’t work for me, because as Susan says there, “You must also use Microsoft Defender as your default antivirus, because third-party antivirus solutions disable Defender — which in turn prevents ASR from being used.” I don’t use Defender as my default anti-virus, although at Settings | Update & Security | Windows Security | Virus & threat protection | Microsoft Defender Antivirus options, I have periodic scanning turned on and Microsoft Defender delivers updates to the WU queue periodicially (at least twice, sometimes 3 times a day), after which I download and install them (I have GP-2 download/install). So, I don’t really know if the using the MS Defender Attack Surface Defender rule wil work or not? Anybody want to weigh in on this aspect of using the ASR rule?

Does the vulnerability (not sure if only one or the other or both would apply here) affect a user if the only Word files opened are ones created and opened on one’s device (i.e., the Word documents are all in-house, i.e., not downloaded from some other source, other than being synchronized on both of my devices, which involves copying from one device to the other)? And, if those in-house Word files are never located via a search, what about that? I might search for the folder they are in or use a link to a folder, but I never search for the file itself (and open it) because I have no filename ‘on the tip of my tongue’ to search for [the name has escaped me]).

Reply | Quote

WCHS wrote:

b’s suggestion to use the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” recommended by Susan for all Office users at October 11, 2021 Issue 18.39 won’t work for me, because as Susan says there, “You must also use Microsoft Defender as your default antivirus, because third-party antivirus solutions disable Defender — which in turn prevents ASR from being used.” I don’t use Defender as my default anti-virus, although at Settings | Update & Security | Windows Security | Virus & threat protection | Microsoft Defender Antivirus options, I have periodic scanning turned on and Microsoft Defender delivers updates to the WU queue periodicially (at least twice, sometimes 3 times a day), after which I download and install them (I have GP-2 download/install). So, I don’t really know if the using the MS Defender Attack Surface Defender rule wil work or not? Anybody want to weigh in on this aspect of using the ASR rule?

Susan included “default” for good reason. Periodic scanning does not suffice for this purpose.

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

1 user thanked author for this post.

WCHS

Reply | Quote

anonymous wrote:

Do you know if the free version will work on Win 10 Pro 21H2 with GP edits ie WU set to “2, and other GP stgs etc

0Patch disregards your GP settings.

Reply | Quote

WCHS wrote:

Is this blog alert talking about two separate vulnerabilities that have no relationship to one another

Yes. One is via Word / RTF docs, the other is via search. There are separate workarounds / patches for each.

cheers, Paul

2 users thanked author for this post.

WCHS, Cybertooth

Reply | Quote

Just received the AskWoody Plus email about the typo of “ms-search” and the corrected “search-ms”. I ran the erroneous command “reg delete HKEY_CLASSES_ROOT\ms-search /f” and it completed without notification. Did that command actually delete something in the registry? If so, how to reverse that? (The .reg file provided to reverse things has “search-ms” rather than “ms-search”.)

Win10 Pro x64 22H2, Win10 Home 21H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

https://askwoodylounge.com/wl/?id=rv75QqPe6PbgY95wqxkUyJLj06t97sva&fmode=download

It won’t impact as it has no file association – but should you want to put it back use that link to put the registry key back into your computer.

It also looks like that:

Susan Bradley Patch Lady

1 user thanked author for this post.

Steve S.

Reply | Quote

I have Office 2010.  Is there anything I should do with respect to this vulnerability in view of the fact that Office 2010 is an older version of Office?

P.S:   I realize that Office 2010 is no longer receiving any updates from Microsoft,  but I am signed up for 0Patch coverage for Office 2010.

Reply | Quote

Yes, the issue is with Windows, so all Office versions are affected.

Your AV should have updates to catch these documents, but there is a risk that a preview might occur before your AV has scanned the file.
If you don’t open/preview unknown/unexpected documents then you can’t be affected.

cheers, Paul

1 user thanked author for this post.

L95

Reply | Quote

Paul T:    Thanks for your response.   I’m wondering do I need to even worry about this vulnerability in view of the fact that this seems to apply only to large enterprises (and I am not a large enterprise) ?   (See posting from Susan Bradley dated June 3rd which says “First off this threat is really more for large targeted enterprises.  It’s not an attack sequence being used against standalone machines.  Next if you ARE a large enterprise, then you should be doing several Attack surface reduction rules now like this “block office from ….”  ).   

I will appreciate any response you can provide.

 

Reply | Quote

Any issue where opening a document triggers an infection is bad, m’kay.

MS will patch this and your AV will catch anything that does slip through, so you do not need to worry about being affected.

cheers, Paul

1 user thanked author for this post.

L95

Reply | Quote

If the registry edit workarounds were employed must the deleted data be restored to the registry before running the June 2022 updates now that the Defcon level has been changed to 3?

Reply | Quote