A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name “Follina,” exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system.
Although a patch hasn’t been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, the full details of which are available below.
The most direct workaround is to disable the MSDT URL protocol by launching the command prompt as administrator and running the following commands:
To back up the existing registry values, run “reg export HKEY_CLASSES_ROOTms-msdt filename” where filename is the name of the backup you will be creating. To implement the workaround, run “reg delete HKEY_CLASSES_ROOTms-msdt /f” To undo the work around, run “reg import filename” where filename is the name assigned in the steps above.
Ongoing exploitation Cisco Talos is aware of ongoing exploitation in the