alert banner

ISSUE 19.23.1 • 2022-06-09
MS-DEFCON 2: Zero days unpatched


By Susan Bradley

Once again, we are faced with several zero days that are plaguing Office and Windows.

Accordingly, I am raising the MS-DEFCON alert level to 2.

At this time, the vulnerabilities are being used in targeted attacks and ones that are more probing in nature (probes test the ability of the attack to get in but don’t take action). So far, we have not seen widespread attacks, but there are some ways you can proactively protect yourself.

“Follina” is a Microsoft Office flaw that is being tracked by Microsoft as CVE-2022-30190. Researcher Kevin Beaumont tweeted about this in May, describing it as a misuse in the Microsoft Support Diagnostic Tool (MSDT). The exploit is activated when the victim opens a malicious document. with Follina, the file preview appears in Explorer, and Protected View is not triggered while the exploit is executed. Attackers can exploit this vulnerability to gain privilege escalation on a system and gain “god mode” access to the impacted system. Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 were impacted by the flaw.

If you set the Defender Attack Surface reduction rules to block Office from creating child processes, the vulnerability will be kept at bay. I prefer using the ASR GUI tool. Download the exe file, run it, and choose Block Office from creating child processes.

Alternatively, use the Windows command line (run as administrator) to execute registry actions. This one disables the troubleshooting wizards:

  • reg delete HKEY_CLASSES_ROOT\ms-msdt /f

This one disables search:

  • reg delete HKEY_CLASSES_ROOT\search-ms /f

For complete details, see my Zero day in office – but don’t panic post, and see follow-ups in the forum topic.

Consumer and Home users looking for an update?

This month is a “late” patching month because security updates come out on the second Tuesday of the month. That means over two weeks would have elapsed from the first notifications about this problem. As of this alert, we don’t know whether Microsoft will deploy an out-of-band update or wait until June 14, Patch Tuesday. We will issue an alert if an out-of-band update is released.

In the meantime, your only option is to download a free fix for Follina from 0Patch. It has fixes for Windows 11 21H2; Windows 10 versions 21H2, 21H1, 20H2, 2004, 1909, 1903, 1809, and 1803; Windows 7; and Windows Server 2008 R2.

If you’re new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed. See details in our Knowledge Base post Installing and using 0patch.

Because I don’t see any indication of a widespread use of this attack, I consider the risk to consumers very low. If an out-of-band patch is issued, I’ll reassess and let you know.

Business users

For business users, I recommend that you deploy ASR rules and keep them on. (More on ASR rules here.) In fact, there are several other rules that you may want to consider enabling in a business setting. A recent blog post by Palantir is an excellent recap of which settings probably will not have any side effects and thus will protect your network better.

I’m sure this will not be the last zero day we will be scrambling to deal with. ASR rules help protect better. If you are not using them now, I recommend you take the time to test and deploy them. Note that Defender must be your antivirus solution. With merely Windows 10 Professional, you can enable ASR and better protect targeted workstations.

Again, I will be providing additional guidance with recommended timing of deployment, should an out-of-band patch show up.



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2022 AskWoody Tech LLC. All rights reserved.