Overview
A new zero-day vulnerability, CVE-2022-30190, aka ‘Follina’, has been discovered that allows exploitation of the Windows Support Diagnostic Tool.
An exploit would be the running of arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Recommended Action
A fix for this vulnerability has not yet been developed so we would advise ever greater caution when dealing with documents from unreliable sources.
In the meantime, Microsoft recommends a workaround and attention to Microsoft Defender settings. This is only a temporary measure, and you should install an update that closes the Follina vulnerability as soon as it becomes available:
The Workaround
- Disabling MSDT URL protocol prevents troubleshooters being launched as links (including links throughout the operating system):
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
- How to undo the workaround
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename”
Microsoft Defender Settings
- Customers with Microsoft Defender Antivirus sould turn-on cloud-delivered protection and automatic sample submission.
Further information and guidance can be found at the Microsoft Security Response Center
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.