Zero-day vulnerability in Microsoft products

News about this vulnerability is evolving and we will update this post as we gather information.

Overview
Things to do (IT staff)
Recommendations for the UW community
References

Overview

A zero-day vulnerability, dubbed “Follina” by a security researcher, allows remote code execution in Microsoft products. It has been actively exploited since April.

On Monday, May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

What we’ve learned so far:

The vulnerability affects all versions of Windows and Windows Server.
As of this writing, no patch has been issued.
Microsoft’s guidance for remediation includes a workaround that disables the MSDT URL protocol.
Microsoft Defender has been updated with signatures for the attack.
The vulnerability has been actively exploited since April.
Descriptions about the ultimate payload (the malware that attackers intend to deliver) have been variable, and conceivably could vary depending on how the exploit is leveraged.
- We will monitor for any new information and update this page accordingly.
- Awareness that adversaries will try to exploit this and other vulnerabilities through phishing campaigns, along with educating end users about the perils of clicking on links and downloading attachments, remains the best strategy to avoid infection.

Microsoft’s description of the vulnerability:

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

In responding to an April 12th report from Shadow Chaser Group, Microsoft said on April 21 that they didn’t consider the vulnerability to be a threat because the MSDT diagnostic tool required a password before it would execute payloads. On Monday, May 30th, Microsoft reversed that decision and issued CVE-2022-30190 and posted guidance about remediations.

Things to Do (IT Staff)

Because of the potential for widespread, significant cyber attacks, all organizations should apply a patch once it is available. Until then, the following remediations are suggested:

(Note that both of these remediations may have other impacts depending on your specific environment.)

Assess the feasibility of disabling the MSDT URL protocol (Microsoft’s suggested workaround).

Microsoft Guidance: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

If you use Attack Surface Reduction rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent exploitation.

Microsoft Attack Surface Reduction Rules: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference

Recommendations for students, staff, and faculty

There are a few best practices for securing your data and devices that are effective in protecting personal and UW institutional information from vulnerabilities and threats.

Be aware that adversaries will try to exploit the vulnerability through phishing campaigns.
Update Windows operating systems on your computer each month after Patch Tuesday updates have been released (that’s the 2nd Tuesday of every month), and enable automatic updates.
Keep your devices, software, and applications up to date and patched.
Use anti-virus software and keep it updated. Members of the UW community can install a free version of Sophos anti-virus for home use and for unmanaged University-owned computers and devices.
Don’t click suspicious links and avoid opening email attachments in email unless you are expecting them and trust the person who sent them. Review our phishing online training and infographic.
Use 2-factor authentication for accounts and opt in to 2FA on the web.
Only use trusted networks protected with an appropriately complex password. Use Husky OnNet to connect to campus resources when working remotely and use eduroam for encrypted wireless connections on UW campuses.
Review our Security 101 online training and infographic for more tips and resources.