Follina Vulnerability and What to do About it

The Basic Facts

  • Name: CVE-2022-30190
  • Risk Level: High, Common Vulnerability Scoring System (CVSS) score of 7.3 out of 10, with 10 being the highest risk
  • What it does: Gives threat actors access to the user’s device (desktop and/or server) and opens a channel for them to download malicious software without the user knowing
  • How it works: Exploited when a user either opens or views in the preview window any MS Office document, which then activates any malicious code embedded in the file and takes the prescribed actions on the user’s device according to the user’s access permissions
  • Remedy: Microsoft released a patch for this vulnerability in an update on 6/14/2022

CVE-2022-30190 was discovered on May 27, 2022 and nicknamed “Follina” later because the sample file referenced “0438,” which is the telephone area code for Follina, Italy. There is no other connection between the threat and the city.

This zero-day vulnerability (i.e. an unknown exploit used to expose a software or hardware vulnerability and create problems for users without being noticed or detected until damage is done) allows threat actors like hackers to access the user’s device when the user opens an Office document or views the document in the preview window. From there, code that has been embedded in the document can be recognized and executed, allowing remote code execution (RCE) so the threat actor can make changes to the device according to the calling program (e.g., Word or Excel) and the user’s access privileges. It can also be used to do things like change the user’s, and in effect the hacker’s, network privileges, add Windows accounts, or download ransomware to the user’s device.

PowerShell, a cross-platform tool built on .NET technology that allows technology professionals to run command-line commands or to create simple scripts to automate almost anything, has been the main target of CVE-2022-30190. The Microsoft patch is built to prevent PowerShell from being used in this way. That doesn’t mean there won’t be another version that will need its own patch. We will continue to monitor this vulnerability and take action when necessary.

To make CVE-2022-30190 even more impactful, proof of concept exploit code was shared publicly so anyone could create and distribute a malicious document to take advantage of this vulnerability. IT professionals were key targets, possibly due to their level of access within their respective organizations.

It is not yet known how much this vulnerability has cost businesses and individuals.

How to Defend your Business

Microsoft released a patch to protect customers from CVE-2022-30190 on June 14, 2022. Confirm that this patch has been installed on all devices and download it immediately if it hasn’t been. At this point, it’s as straight-forward as that.

Until the patch was released on June 14th, the best method for dealing with this vulnerability was to disable the Microsoft Support Diagnostic Tool (MSDT) URL protocol. The MSDT is usually used for good – to automatically collect and send diagnostic information about any Windows issues to Microsoft. That could have also made it an ideal vehicle.

If you’re a Platte River Network customer who didn’t disable the MSDT URL protocol and you’re wondering what happened to your devices and network between May 27th and June 14th, you’ll be happy to hear that Platte River Networks took quick action to keep your business safe by running a script across all applicable endpoints to backup and remove the registry entry.

The perennial best practice applies here too – train and remind your teams not to open any files from senders they don’t recognize or that look strange and to report any such files. Follina and many other threats can’t work if no one lets them in the door.

The key to cybersecurity is vigilance and we take that seriously. We understand our customers trust us with some of their most valuable resources and work to ensure that we consistently deliver the protection they need.

Please email david@platteriver.com for more information on cybersecurity.

Powered by estound

© Platte River Networks - All Rights Reserved

Privacy Notice

Proud Member of the following organizations: