Microsoft ‘Follina’ Office Vulnerability: How To Prevent It
Steven Burke, Jay Fitzgerald
Here are the steps Microsoft and MSP security stalwarts Huntress, ThreatLocker, Sophos and Blackpoint Cyber are recommending to MSPs to prevent the Follina zero-day vulnerability from wreaking havoc.
Sophos, Blackpoint Cyber Recommends Microsoft Workaround To Stop Follina Threat
Security software provider Sophos is recommending that MSPs and users follow Microsoft’s recommendation to disable the MSDT URL protocol.
“A workaround that was quickly agreed upon in the community, and has since been officially endorsed by Microsoft, is simply to break the relationship between ms-msdt: URLs and the MSDT utility,” wrote Sophos Principal Research Scientist Paul Ducklin in a blog post. “This means that ms-msdt: URLs no longer have any special significance, and can’t be used to force MSDT.EXE to run.”
MSPs that discover they can not “live without” MSDT URLs can always replace the missing registry data later, wrote Ducklin.
“Just for the record, we’ve never even seen an ms-msdt URL before, let alone relied on one, so we had no hesitation in deleting this registry setting on our own Windows computer,” wrote Ducklin.
Blackpoint Cyber in a Twitter post also pointed MSPs to the Microsoft workaround.
[1/2]UPDATE: On Sunday, Blackpoint SOC was made aware of a Microsoft zero-day vulnerability that allows code execution in Office products. Now known as CVE-2022-30109 and given a 7.8/10 CVSS rating, Microsoft has released workarounds: https://t.co/SRDl9eeS6N— Blackpoint Cyber (@BlackpointUS) June 1, 2022
In a followup Tweet, Blackpoint Cyber said the vulnerability impacted Microsoft Office versions 2013, 2016, 2019 and 2021 as well as Professional Plus versions of Office. “We urge partner to review the workaround,” tweeted Blackpoint Cyber.
[2/2] Impacted versions of Office are 2013, 2016, 2019, 2021 as well as Professional Plus versions. We urge partners to review the workaround.— Blackpoint Cyber (@BlackpointUS) June 1, 2022