Microsoft ‘Follina’ Office Vulnerability: How To Prevent It

Here are the steps Microsoft and MSP security stalwarts Huntress, ThreatLocker, Sophos and Blackpoint Cyber are recommending to MSPs to prevent the Follina zero-day vulnerability from wreaking havoc.

MSPs Rush To Close ‘Follina’ Office Vulnerability

MSPs are moving quickly to implement steps to prevent the Microsoft Office zero-day vulnerability referred to as Follina from being exploited by cybercriminals.

US itek, a Buffalo, N.Y.-based MSP, for example, is implementing a ringfencing update from security software provider ThreatLocker that blocks access to the Microsoft Diagnostics Tool (MSDT), which can be exploited by attackers.

“ThreatLocker is keeping its MSPs ahead of the curve by providing a template to secure new vulnerabilities like Follina within hours of those zero-day vulnerabilities being disclosed,” said Stinner. “Ringfencing and whitelisting have changed the game for us. We no longer have to spend hundreds of hours making changes and updates to every system that we manage to prevent a zero-day vulnerability. With ThreatLocker we have a framework that makes it easy to protect our customers.”

US itek has made ThreatLocker a mandatory requirement for customers, said Stinner. “We have ThreatLocker on every computer we manage so when there is a new exploit we just implement the new policy,” he said.

CNWR, a Toledo, Ohio, MSP, has moved swiftly to remove the Microsoft Diagnostics Tool with Kelvin Tegelaar’s Powershell snippet, said CNWR President Jason Slagle. He expects a Microsoft patch for the vulnerability to be released quickly which his team will implement.

News of the zero-day vulnerability in Microsoft Office first surfaced over the weekend, when Japanese security vender Nao Sec warned of the threat in a tweet.

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.

— nao_sec (@nao_sec) May 27, 2022

Among others, Huntress over the holiday weekend issued a “rapid response,” warning that there was no patch yet for the vulnerability and urging people to be “extra vigilant when opening up any attachments, particularly Word documents.”

By Monday, Microsoft confirmed the problem in a blog post, warning of potential dangers, offering extra guidance and urging MSPs and IT administrators to disable Microsoft Diagnostics Tool (MSDT) URL protocol.

In addition, Microsoft advised customers with Microsoft Defender Antivirus to turn-on cloud-delivered protection and automatic sample submission.

Kyle Hanslovan, the CEO of MSP threat researcher Huntress, says he considers ‘Follina,’ as the Microsoft zero-day vulnerability is now being called, a serious enough threat to immediately implement a suggested temporary fix and to warn employees not to open suspicious email attachments.

“This is going to allow hackers to get into your computer more easily if you open a document from somebody untrusted,” he said in an interview with CRN. “Even worse, they’re sometimes using people’s legitimate emails that they’ve already hacked to send an email that looks more trusted. That makes it even harder to identify.”

Microsoft’s Security Response Center, for its part, confirmed that the “remote code execution vulnerability” exists when MSDT is called using the URL protocol from an application such as Microsoft Word.

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” said Microsoft. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

Here are the steps Microsoft, Huntress and ThreatLocker recommend MSPs take to prevent Follina from being exploited by cybercriminals.

Microsoft: Disable The MSDT URL Protocol

Microsoft recommends disabling MSDT URL protocol which prevents “troubleshooters being launched as links including links throughout the operating system.” Here are the three steps Microsoft recommends:

1. Run Command Promptas Administrator.

2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename

3, Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

Microsoft also recommends that MSPs or customers with Microsoft Defender Antivirus “turn on cloud delivered protection and automatic sample submission.” That provides “artificial intelligence and machine learning” capabilities aimed at stopping new and unknown threats.

Microsoft said that if the attack is being launched from a Microsoft Office application Microsoft Office by default “opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.”

Huntress: Pursue Mitigation Efforts To ‘Limit Your Attack Surface’

MSP threat researcher Huntress- which issued a “rapid response” post for MSPs on the attack- recommended that MSPs using Microsoft Defender’s Attack Surface Reduction activate the rule “Block all Office applications from creating child processes” in Block mode. That step prevents the exploit, said Huntress.

That said, Huntress pointed out that if MSPs are not using ASR they may wish to run the “rule in Audit mode first and monitor the outcome to ensure there’s no adverse impact on end users.”

Another option, said Huntress, is to remove the file type association for MS-MSDT which can be done in the Windows registry HKCR:\ms-msdt or with Kelvin Tegelaar’s PowerShell Snippet.

Taking that step, Huntress said, will effectively prevent the malware from running when a “malicious” Office document is opened. Huntress cautioned that MSPs should make a backup of the registry setting before taking advantage of that mitigation.

With no patch currently available, Huntress recommended cautioning end users” to be extra vigilant when opening up any attachments, particularly Word documents.”

Huntress said the Office vulnerability is “pretty trivial” to reproduce and that it expects “cybercriminals to begin weaponizing” it for initial access immediately by sending emails with the malicious code.

“Huntress is keeping a close eye on the developing threat of a zero-click remote code execution technique used through MSDT (Microsoft Diagnostics Tool) and Microsoft Office utilities, namely Microsoft Word,” wrote Microsoft Threat Researcher John Hammond in a post.”Throughout the next coming days, we expect exploitation attempts in the wild through email-based delivery,”

The zero-day attack “sprung up out of nowhere and there’s currently no patch available,” wrote Hammond.He said the zero-day vulnerability features remote code execution, “which means that once this code is detonated, threat actors can elevate their own privileges and potentially gain “God Mode” access to the affected environment.”

ThreatLocker: Secure Systems ‘As Quickly As Possible,’ Apply Default Ringfencing

Ringfencing and whitelisting software provider ThreatLocker recommended that all customers ensure that they have all their systems “secured as quickly as possible.”

“From initial internal testing, locking down your machines will stop unknown applications from running, however, we also recommend ensuring the default ringfencing policies are applied to your account,” said ThreatLocker in an email to CRN. “For example, the default ringfencing policy for PowerShell blocks access to the internet, apart from specific IP’s that you have chosen. This is a huge step toward stopping PowerShell from being weaponized.”

Threatlocker said it is also updating its suggested office ringfencing policy to also block access to MSDT. That “should stop the attack before MSDT can call any other applications,” said ThreatLocker.

Sophos, Blackpoint Cyber Recommends Microsoft Workaround To Stop Follina Threat

Security software provider Sophos is recommending that MSPs and users follow Microsoft’s recommendation to disable the MSDT URL protocol.

“A workaround that was quickly agreed upon in the community, and has since been officially endorsed by Microsoft, is simply to break the relationship between ms-msdt: URLs and the MSDT utility,” wrote Sophos Principal Research Scientist Paul Ducklin in a blog post. “This means that ms-msdt: URLs no longer have any special significance, and can’t be used to force MSDT.EXE to run.”

MSPs that discover they can not “live without” MSDT URLs can always replace the missing registry data later, wrote Ducklin.

“Just for the record, we’ve never even seen an ms-msdt URL before, let alone relied on one, so we had no hesitation in deleting this registry setting on our own Windows computer,” wrote Ducklin.

Blackpoint Cyber in a Twitter post also pointed MSPs to the Microsoft workaround.

[1/2]UPDATE: On Sunday, Blackpoint SOC was made aware of a Microsoft zero-day vulnerability that allows code execution in Office products. Now known as CVE-2022-30109 and given a 7.8/10 CVSS rating, Microsoft has released workarounds:

— Blackpoint Cyber (@BlackpointUS) June 1, 2022

In a followup Tweet, Blackpoint Cyber said the vulnerability impacted Microsoft Office versions 2013, 2016, 2019 and 2021 as well as Professional Plus versions of Office. “We urge partner to review the workaround,” tweeted Blackpoint Cyber.

[2/2] Impacted versions of Office are 2013, 2016, 2019, 2021 as well as Professional Plus versions. We urge partners to review the workaround.

— Blackpoint Cyber (@BlackpointUS) June 1, 2022