UPDATE: 6/15: Microsoft released its latest round of security patches (Patch Tuesday) this week, and with it quietly fixed CVE-2022-30190, better known as Follina.
I say quietly because, as security vendor Sophos points out(Opens in a new window), Microsoft didn’t bother to list the fix in its patch notes. However, the Microsoft MSRC page(Opens in a new window) for the vulnerability does confirm an update was added on June 14.
That’s very good news, especially considering Follina was already being exploited(Opens in a new window) in the wild by China-backed hackers.
The vulnerability was initially disclosed by @nao_sec via Twitter on May 27:
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” researcher Kevin Beaumont explains(Opens in a new window). “That should not be possible.”
Beaumont reports that attackers can exploit this vulnerability, which he’s dubbed “Follina,” even if Office macros are disabled. Office 2013, 2016, 2019, 2021, and some versions of Office included with a Microsoft 365 license are subject to this vulnerability on both Windows 10 and Windows 11.
Huntress Labs CEO Kyle Hanslovan has shared a proof of concept using a Rich Text File to exploit this vulnerability from the preview pane in Windows 11’s File Explorer:
All of which means this vulnerability provides a way to execute code on a target system with one click—or, as Hanslovan demonstrates, just by previewing the malicious document—using support tools (ms-msdt) and system administration tools (PowerShell) pre-installed on Windows.
Recommended by Our Editors
Twitter user @crazyman_army says(Opens in a new window) they disclosed this vulnerability to Microsoft on April 12, but the company reportedly decided(Opens in a new window) it wasn’t a security issue on April 21.
Beaumont says “Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere,” sometime in May.
Huntress Labs says(Opens in a new window) it expects “exploitation attempts in the wild through email-based delivery” and notes that people “should be especially vigilant about opening any attachments” while Microsoft, antivirus vendors, and the rest of the security community responds to this threat.
Microsoft didn’t immediately respond to a request for comment.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.