Microsoft June Patch Tuesday Fixes ‘Follina’ Zero-Day Vulnerability

Microsoft released a patch for “Follina,” the notorious Microsoft Support Diagnostic Tool (MSDT) zero-day vulnerability, in its June security update.

The zero-day, tracked as CVE-2022-30190, is an MSDT remote code execution flaw affecting all Windows versions that still receive security updates.

“The update for this vulnerability is in the June 2022 cumulative Windows Updates,” says the company in an advisory. “Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.”

Successfully exploiting this security flaw could allow threat actors to perform remote arbitrary code execution piggybacking a host app to elevate privileges. Through the calling app, attackers could access and modify data, install programs, and create new user accounts if the compromised user account has clearance.

Security researchers demonstrated that attackers could leverage the Follina vulnerability to download an HTML file through a Word document, which could exploit MSDT to execute code remotely. The zero-day could also evade detection, wouldn’t require macro code to run scripts or execute binaries, and would work without elevated privileges.

Applying this month’s Microsoft security updates won’t prevent attackers from using Microsoft Office to load Windows protocol URI handlers automatically without requiring user interaction. However, it will block PowerShell injection, rendering the attack unusable by disabling its vector.

In other words, Microsoft’s June updates block code injection, but the exploit code will still be able to launch msdt.exe on vulnerable systems.

Until recently, Microsoft provided a workaround to help users prevent Follina attacks, which involved disabling the MSDT URL protocol. This would deter troubleshooters from being launched as links on vulnerable systems.

To protect against Follina, users should apply Microsoft’s new security patches in conjunction with the MSDT-disabling workaround.  This would protect the machine against code injection attempts and prevent attackers from launching the diagnostic tool via infected Word documents.