MS Office is once again in the spotlight, this time for a zero-day vulnerability that is being actively exploited by Chinese threat actors. This vulnerability, CVE-2022-30190, impacts all Office versions 2013, 2016, 2019 and 2021. It is rated a 7.8 out of 10 in terms of severity.
Office zero-day vulnerability (CVE-2022-30190)
CVE-2022-30190 or Follina is a zero-day vulnerability affecting all versions of Windows from Windows 7/2008 up to the latest, running Office versions 2010 all the way up to the latest version of Microsoft 365. It allows attackers to execute arbitrary code on the target system and take full control of the affected machine.
The flaw is being exploited in the wild by Chinese threat actors, who are using it to target victims in the healthcare and high-tech sectors in the United States. The attacks start with a phishing email that contains a malicious Office document. If the document is opened, it will exploit the CVE-2022-30190 zero-day by utilizing a link in MS Office to deploy malicious code via command line via MSDT and take control of the endpoint or server.
What is a zero-day vulnerability?
Zero-day vulnerabilities are serious security threats that are often exploited by malicious actors. A zero-day is a previously unknown software vulnerability that has not yet been patched or addressed by the software vendor. In many cases, zero-day vulnerabilities are discovered by security researchers and then sold to criminal groups who can exploit them for profit.
Zero-Day Vulnerabilities are critical because they are unknown to the vendor and can be exploited before a patch is released.
How can you protect yourself from zero-day vulnerabilities?
Typically, the the best way to protect yourself from zero-day vulnerabilities is to keep your software up-to-date with the latest security patches. In the case of CVE-2022-30190, there is not yet a patch available. As such, users are advised to exercise caution when opening email attachments, even if they come from a trusted source.
You can also use security software with zero-day protection features to help defend against these threats. These tools use heuristics and other techniques to detect zero-day malware and stop it from infecting your system.
Why are threat actors targeting Office?
Office is a widely used productivity suite and is installed on millions of computers around the world. This makes it an attractive target for attackers who want to exploit its users. Additionally, Chinese threat actors are known for their sophisticated zero-day attacks. They have a history of targeting high-profile organizations and individuals with zero-day vulnerabilities.
What can users do to mitigate CVE-2022-30190?
MSFT issued guidance and recommendations to implement the workarounds suggested here to protect against CVE-2022-30190. For a brief walkthrough, see below.
Disable MSDT URL Protocol.
This is the first workaround recommended in order to prevent troubleshooters from launching as links within Windows. Follow these steps to disable the MSDT URL Protocol.
- On your machine, open up command prompt as Administrator.
- First backup the reg key by running “reg export HKEY_CLASSES_ROOTms-msdt filename”
- Run the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”
If you need to undo the workaround you can run the following command in an elevated command prompt: “reg import filename” (With filename being the file you backed up in step 2 above).
In conclusion, the CVE-2022-30190 zero-day vulnerability is a serious security threat that is being actively exploited by Chinese threat actors. Users are advised to exercise caution when opening email attachments, even if they come from a trusted source. Additionally, security software with zero-day protection features can help defend against these threats. Follow the guidance and recommendations to implement the workarounds suggested here to protect against CVE-2022-30190.
If you need help protecting your business against threats such as Follina, or you see a possible sign of malware on your network, reach out to our team of experts now. We can help you protect your business against cyber threats and alert you to any any security events before they become an issue.