Microsoft Releases Workaround Guidance for MSDT “Follina”; Vulnerability 05/31/2022 11:11 AM EDT Original release date: May 31, 2022 Microsoft has rel
[See the full post at: Zero day in office – but don’t panic]
Susan Bradley Patch Lady
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
Home » Forums » Newsletter and Homepage topics » Zero day in office – but don’t panic
Microsoft Releases Workaround Guidance for MSDT “Follina”; Vulnerability 05/31/2022 11:11 AM EDT Original release date: May 31, 2022 Microsoft has rel
[See the full post at: Zero day in office – but don’t panic]
Susan Bradley Patch Lady
If you have MS Office (any current version) on Windows – I might suggest taking some aggressively proactive prevention steps. (See Susan’s post above.)
Two new factors:
1) .LNK files are also able to call this vuln.
2) Renaming a word document to .RTF can cause this vuln to trigger on file preview in File Explorer. No file opening needed.
~ Group "Weekend" ~
@Susan Bradley said:
“Group policy fix – Just disable “Troubleshooting wizards” by GPO see the location here:”
Unless I’m missing something, this does not open to a GPO setting location or guidance. Seems more like a registry location?
Can someone provide the GPO location and setting value?
Also, per @EricB’s question above, does the GPO setting interfere with wushowhide?
It is indeed a group policy setting.
Susan Bradley Patch Lady
Thank you, I can follow that path.
Question, if I am reading that path link properly, it appears that GPO setting is creating/setting a Registry entry that is different than the one you and MS are showing for a manual registry entry.
If so, why?
It is indeed a group policy setting.
System\Troubleshooting and Diagnostics\Scripted Diagnostics
I further just noticed that your original instructions said to disable “Troubleshooting wizards”, this new link is to “Scripted Diagnostics”.
Which GPO is it? and
Question, if I am reading that path link properly, it appears that GPO setting is creating/setting a Registry entry that is different than the one you and MS are showing for a manual registry entry. If so, why?
and
Also, per @EricB‘s question above, does the GPO setting interfere with wushowhide?
I believe this is correct.
Group Policy:
Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Scripted Diagnostics\
Troubleshooting: Allow users to access and run Troubleshooting Wizards = Disabled
Registry:
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\
EnableDiagnostics = 0
Sorry, haven’t tried it yet. Standby.
EDIT:
Answer is YES. I get “An error occurred while troubleshooting” and the explanation: “Troubleshooting has been disabled in Group Policy.”
So I assume the Registry entry has the same effect if you don’t use GP.
Actually, they’re not the same.
The GPO setting effects registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics
The Microsoft “suggested” edit effects registry key HKCR\ms-msdt
They also operate differently.
The GPO setting prevents all .diagcab files from running.
The “suggested” edit stops embedded code from remotely running the exploit but still allows .diagcab files (like wushowhide) to be run locally via Windows Explorer or a shortcut (see my #2450259 post.)
by Mitja Kolsek, the 0patch Team
…Our Micropatch
It would be by far the simplest for us to just disable msdt.exe by patching it with a TerminateProcess() call. However, that would render Windows diagnostic wizardry inoperable, even for non-Office applications. Another option was to codify Microsoft’s recommendation into a patch, effectively disabling the ms-msdt: URL protocol handler.
But when possible, we want to minimize our impact outside of removing the vulnerability, so we decided to place our patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a “$(” sequence – which is necessary for injecting a PowerShell subexpression. If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running…
** Much better solution than Microsoft’s workaround.
Couldn’t the geniuses at Microsoft come with a similar solution ?
That said if you do want to proactively protect yourself ….
This MSDT exploit is also prevented (without disabling troubleshooting wizards) by the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” which you recommended to all Office users (with instructions for Pro and Home) in the AskWoody Plus Newsletter eight months ago:
If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.
Rapid Response: Microsoft Office RCE – “Follina” MSDT Attack
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
The “vulnerability exists when MSDT is called using the URL protocol from a calling application”
To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ? What applications could call MSDT ? Is this likely to be one of those threats that in reality will only be used against organisations ?
Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie
Is the patch for this in June updates?
Yes:
On Tuesday June 14, 2022, Microsoft issued Windows updates to address this vulnerability.
Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability [See FAQ 2.]
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ?
The hack can happen if you open/preview a Word document in LibreOffice, Windows explorer…
The post was updated on 6/1 to caution about abuse of the search protocol. Is this a different exposure/exploit?
This is a different method to utilize exposure/exploit
A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document.
The security issue can be leveraged because Windows supports a URI protocol handler called ‘search-ms’ that allows applications and HTML links to launch customized searches on a device.
While most Windows searches will look on the local device’s index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window…
To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ?
The hack can happen if you open/preview a Word document in LibreOffice, Windows explorer…
0Patch : “it doesn’t matter which version of Office you have installed, or if you have Office installed at all. The vulnerability could also be exploited through other attack vectors. That is why we also patched Windows 7, where the ms-msdt: URL handler is not registered at all“.
Very curious. Attempting to backup the ms-msdt entry results in an error message that it cannot be found and sure enough, it’s not listed in the registry. This is on a Win7 system by the way, does anyone else not see it? So to speak. Neither does the ScriptedDiagnostics entry exist for me but i just assumed that’s only for newer Windows versions. However, the search-ms entry is present in the correct location. It’s another reminder to not open anything one doesn’t recognise, same as it ever was.
Edit: Actually, regarding ScriptedDiagnostics – i have had the troubleshooting wizard in action centre disabled for years so maybe that’s why it’s not listed.
Edit2: I noticed a number of users over on the ArsTechnica article also don’t have the ms-msdt registry key – https://arstechnica.com/information-technology/2022/05/code-execution-0day-in-windows-has-been-under-active-exploit-for-7-weeks/
Some saying the key only exists if Office is installed or specific versions of Office even though the software is present on the system. I have never had any version of Office installed so maybe that’s why.
Just tested this and, according to the info shown on beeping computer site on how to test this vulnerable, neither each one singularly nor both together actually stop it from happening!
(i.e., search-ms:query=proc&crumb=location:??? still pops up an Explorer window showing the search results.)
Anon 2 here. Win 10 Pro, 21H2 , GP edits as per this site, winshowhide. It appears from Bleeping article, that it impacts opening any doc saved as .word or .rtf. I use Libreoffice (no Office here). I must search, open & work on saved as .word docs.
And the above replies suggest that neither GPO or reg “fix’ work. And mess with winshowhide. So what to do?
Note: the 2nd ‘comment’ in bleeping article suggests a PC running a ‘local admin’ acct as even more susceptible. My PC is set up as Local only. I have both local Admin and use a User account, except when installing programs.
I post this for others further ref on this topic https://nakedsecurity.sophos.com/2022/05/31/mysterious-follina-zero-day-hole-in-office-what-to-do/
No experience with Opatch. If I download and install, how to select & have it patch only this, or does it do all their patches? Can they be undone, program deleted after M/S gets it sorted without affecting o/s integrity? Any latest direction on steps?
Further fodder for the coffers, ( you are prob atop of this):
’search-ms’: Remember that remote filenames aren’t as obvious as web links. “We won’t be surprised if other proprietary Windows URLs make the cybersecurity news over the next few days or weeks, pressed into service for devious or even directly destructive purposes by cybercriminals, or simply just uncovered by researchers trying to push the limits of the system as it stands.” https://nakedsecurity.sophos.com/2022/06/02/yet-another-zero-day-sort-of-in-windows-search-url-handling/
No ‘panic’, but what to do?
First off understand that this is a “get more rights” type of attack that will be more targeted than used in widespread attacks. I would use the ASR rules
“If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.”
Susan Bradley Patch Lady
First off understand that this is a “get more rights” type of attack that will be more targeted than used in widespread attacks. I would use the ASR rules…
Hi Susan:
I have a Win 10 Pro v21H2 OS and MS Office 2019 Home and Business C2R. Is the method described in your CSO article How to Use Windows Defender Attack Surface Reduction Rules the appropriate way to enable the “Block Office application from creating child processes” rule on my system, namely:
Is there a simpler way to do this with Win 10 Pro (e.g., from Windows Security | App & Browser Control | Exploit Protection | Exploit Protection Settings | System Settings) that I haven’t figured out yet? If not, is creating this this “Block Office application from creating child processes” ASR rule enough to block the MSDT “Follina” vulnerability until Microsoft releases a patch, or is the registry edit in Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability still recommended?
I recall you discussing this Advanced Surface Reduction (ASR) rule several months ago in a previous AskWoody article or newsletter but couldn’t find it today and just happened to stumble across your CSO article during a Google search.
———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1706 * Firefox v101.0.0 * Microsoft Defender v4.18.2203.5-1.1.19200.5 * Malwarebytes Premium v4.5.9.198-1.0.1689 * MS Office 2019 Home and Business Version 2205 (Build 15225.20204 Click-to-Run)
I recall you discussing this Advanced Surface Reduction (ASR) rule several months ago in a previous AskWoody article or newsletter but couldn’t find it today and just happened to stumble across your CSO article during a Google search.
The same instructions are in ISSUE 18.39 • 2021-10-11 under “Becoming more security-aware“.
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
First off this threat is really more for large targeted enterprises. It’s not an attack sequence being used against standalone machines. Next if you ARE a large enterprise, then you should be doing several Attack surface reduction rules now like this “block office from ….”
Every platform can be abused, the real question comes down to — are YOU at risk from that attack?
Susan Bradley Patch Lady
https://twitter.com/wdormann/status/1532727165661458432?s=11&t=mxKvVkgdD-sO1WYBGNl6MQ
“In my limited testing, the original DOCX format version of the exploit doesn’t work on a Current Channel Office with Feb 2022 updates, yet RTF works against everything.”
Susan Bradley Patch Lady
So is use the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f” still the best advice?
FMI, what is the purpose of the “/f ” at the end of the command?
I assume you could also enter the registry and manually delete the key?
No.
The best advice is to install 0Patch fix and retain ms-msdt / troubleshooting.
https://www.askwoody.com/forums/topic/zero-day-in-office-but-dont-panic/#post-2450308
Do you know if the free version will work on Win 10 Pro 21H2 with GP edits ie WU set to “2, and other GP stgs etc, winshowhide? Do you install via local admin acct or user? If thru admin, does that account have to be constantly logged in? Like you, I use Libreoffice, and use another non-Defender a/v. Pls advise, thank you.
I am confused. I don’t have the background knowledge to fill in the blanks about how these attacks work.
Is this blog alert talking about two separate vulnerabilities that have no relationship to one another, i.e.,
a) remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows.
b) the abuse of URI (whatever that is) for search
Or are they related? If if they are related, is there one fix for one of them and another fix for the other one? Or is there one fix for both of them?
As for a) and “Troubleshooting wizards”, I often use a Troubleshooting wizard to diagnose my network connections when synchronizing my two machines via private network. Sometimes I think they are connected, but they aren’t, so this wizard diagnoses and fixes the problem. It looks like the “Troubleshooting wizards” solution is out for me, if I want to continue to be able to let a Troubleshooter diagnose and fix this network problem that occasionally occurs.
I use WUSHOWHIDE (and @Alex5723, I don’t really want to figure out how to use WUMgr) and if I read the comments here, one of the fixes {either the GPO fix for a) or the fix for b)} prevents WUSHOWHIDE from working. I am not sure which of the vulnernabilities involves WUSHOWHIDE and if it is a), then do I understand that the GPO fix will interfere with WUSHOWHIDE, but the registry fix for a) will not?? And that the registry fix will also not interfere with “Troubleshooting wizards”?
b’s suggestion to use the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” recommended by Susan for all Office users at October 11, 2021 Issue 18.39 won’t work for me, because as Susan says there, “You must also use Microsoft Defender as your default antivirus, because third-party antivirus solutions disable Defender — which in turn prevents ASR from being used.” I don’t use Defender as my default anti-virus, although at Settings | Update & Security | Windows Security | Virus & threat protection | Microsoft Defender Antivirus options, I have periodic scanning turned on and Microsoft Defender delivers updates to the WU queue periodicially (at least twice, sometimes 3 times a day), after which I download and install them (I have GP-2 download/install). So, I don’t really know if the using the MS Defender Attack Surface Defender rule wil work or not? Anybody want to weigh in on this aspect of using the ASR rule?
Does the vulnerability (not sure if only one or the other or both would apply here) affect a user if the only Word files opened are ones created and opened on one’s device (i.e., the Word documents are all in-house, i.e., not downloaded from some other source, other than being synchronized on both of my devices, which involves copying from one device to the other)? And, if those in-house Word files are never located via a search, what about that? I might search for the folder they are in or use a link to a folder, but I never search for the file itself (and open it) because I have no filename ‘on the tip of my tongue’ to search for [the name has escaped me]).
b’s suggestion to use the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” recommended by Susan for all Office users at October 11, 2021 Issue 18.39 won’t work for me, because as Susan says there, “You must also use Microsoft Defender as your default antivirus, because third-party antivirus solutions disable Defender — which in turn prevents ASR from being used.” I don’t use Defender as my default anti-virus, although at Settings | Update & Security | Windows Security | Virus & threat protection | Microsoft Defender Antivirus options, I have periodic scanning turned on and Microsoft Defender delivers updates to the WU queue periodicially (at least twice, sometimes 3 times a day), after which I download and install them (I have GP-2 download/install). So, I don’t really know if the using the MS Defender Attack Surface Defender rule wil work or not? Anybody want to weigh in on this aspect of using the ASR rule?
Susan included “default” for good reason. Periodic scanning does not suffice for this purpose.
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
Is this blog alert talking about two separate vulnerabilities that have no relationship to one another
Yes. One is via Word / RTF docs, the other is via search. There are separate workarounds / patches for each.
cheers, Paul
Just received the AskWoody Plus email about the typo of “ms-search” and the corrected “search-ms”. I ran the erroneous command “reg delete HKEY_CLASSES_ROOT\ms-search /f” and it completed without notification. Did that command actually delete something in the registry? If so, how to reverse that? (The .reg file provided to reverse things has “search-ms” rather than “ms-search”.)
Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.
https://askwoodylounge.com/wl/?id=rv75QqPe6PbgY95wqxkUyJLj06t97sva&fmode=download
It won’t impact as it has no file association – but should you want to put it back use that link to put the registry key back into your computer.
It also looks like that:
Susan Bradley Patch Lady
I have Office 2010. Is there anything I should do with respect to this vulnerability in view of the fact that Office 2010 is an older version of Office?
P.S: I realize that Office 2010 is no longer receiving any updates from Microsoft, but I am signed up for 0Patch coverage for Office 2010.
Yes, the issue is with Windows, so all Office versions are affected.
Your AV should have updates to catch these documents, but there is a risk that a preview might occur before your AV has scanned the file.
If you don’t open/preview unknown/unexpected documents then you can’t be affected.
cheers, Paul
Paul T: Thanks for your response. I’m wondering do I need to even worry about this vulnerability in view of the fact that this seems to apply only to large enterprises (and I am not a large enterprise) ? (See posting from Susan Bradley dated June 3rd which says “First off this threat is really more for large targeted enterprises. It’s not an attack sequence being used against standalone machines. Next if you ARE a large enterprise, then you should be doing several Attack surface reduction rules now like this “block office from ….” ).
I will appreciate any response you can provide.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | ||||
4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 26 | 27 | 28 | 29 | 30 |
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.