Hot Topics
Analytics & Intelligence Application Security Cybersecurity Data Security DevOps Endpoint Featured Governance, Risk & Compliance Identity & Access Incident Response Malware Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Broken Windows: ‘Follina’ Flaw not Fixed — For 22 MONTHS

by Richi Jennings on June 6, 2022

A nasty zero-click, zero-day RCE bug remains unpatched. All supported versions of Windows, plus Windows 7, are affected.

The vulnerability—dubbed Follina after a string in the exploit that looks like an Italian area code—has been assigned CVE-2022-30190. It’s been under active exploitation for at least 25 days, but was first discovered in August 2020. Microsoft has done diddly-squat about it.

It’s just the latest FAIL from Redmond. In today’s SB Blogwatch, we disconnect the internet.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: How to fix it with regedit.

The Last Straw for Windows Users?

What’s the latest? Lily Hay Newman reports—“Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch”:

Real-world exploitation
The company continues to downplay the severity of the Follina vulnerability … in all supported versions of Windows. [It] can be easily exploited by a specially crafted Word document.

While attackers have primarily been observed exploiting the flaw through malicious documents thus far, [there are] other methods. … Incident responders say that more action is needed, given how easy it is to exploit the vulnerability.

Researchers have … seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus … Nepal [and] Tibet. … With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate.

Not so fast: U.S. and European government sites are also under attack. So says Proofpoint:

By a state aligned actor
Phishing campaign targeting … European gov & local US gov.

This campaign masqueraded as a salary increase and utilized an RTF … with the exploit payload downloaded from 45.76.53.253. … The downloaded Powershell script was base64 encoded and used Invoke-Expression to download an additional PS script … from seller-notification.live.

[We] suspect this campaign to be by a state aligned actor, based on both the extensive recon of the Powershell and tight concentration of targeting. We do not currently attribute it to a [threat actor].

So it’s a bug in Office? No, it’s a bug in Windows. And one that’s been known about for 22 months, as Steve Gibson explains:

Microsoft’s MSRC blew it off
A bachelor’s thesis authored by … Benjamin Altpeter on August 1st, 2020 [says] “Windows includes the ms-msdt:// [URL] protocol that opens the Microsoft Support Diagnostic Tool which provides the troubleshooting wizard. … This protocol directly passes the string it is given to the msdt.exe program. The attacker now needs to find an included wizard that allows the execution of arbitrary programs. … The program compatibility wizard fits this description: … All user input can also be prefilled from the command line.”

Benjamin’s bachelor’s thesis was nearly two years ago. The reference in it was obscure, it was on page 29, and we’ll never know whether someone saw it and recognized its significance, as he did, or may have independently invented an attack. … Either way, last month on April 12th … Shadowchasing1, an [APT] hunting group, reported the active exploitation of this vulnerability in the wild to Microsoft.

Nine days go by. On April 21st, Microsoft’s MSRC blew it off and closed the ticket, saying that it was not a security-related issue. … This might represent another sample of the pattern that seems to be emerging, where Microsoft increasingly seems to be needing the external security research community to solve all of its problems for it.

Apparently saying, “Hey, [you’re] allowing Word’s remote template feature to retrieve an HTML file from a remote server, which [can] execute some PowerShell,” … is no longer sufficient to get Microsoft’s attention. … So all we can ever do is hope for the best [and] do a:
“reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

And there’s still no patch? Not officially. But Mitja Kolsek’s got your back—“Free Micropatches”:

When possible, we want to minimize our impact outside of removing the vulnerability, so we decided to place our patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a “$(” sequence — which is necessary for injecting a PowerShell subexpression. If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running. [The] original code [is] relocated to a trampoline.

We also patched Windows 7, where the ms-msdt: URL handler is not registered at all. … Since this is a “0day” vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

How does Microsoft get so incompetent as to ignore the problem for 22 months and then close the ticket when the inevitable exploits happen? gweihir tries not to be hyperbolic:

At the current complexity they have reached and failed to keep under control, it is probably impossible to fix it. That is not hyperbole, that is how engineering works: At some level of complexity you lose control and you cannot get it back anymore. … That that ship has sailed long ago for the products MS makes.

Hence the current mess, which will not go away. And there are other reasons, none of them speaking well of the people that made and keep MS large and successful.

But Microsoft closed the ticket! MSRC has form, says jeff_w87:

MS says it’s not a problem, but obviously it is. Same for the really old version of log4j that ships with SQL server: MS says it’s not a problem, but it is.

Wish we could … dump all the MS “insecure by default” OS and Applications. Any government … on this planet should ban MS software from running on their networks, especially if it’s a connected system.

This has been going on for decades, says cbf:

Far too many things in the Microsoft world are “active”—i.e., eager to open links, embeds, etc, on your behalf—in so many places and in so many ways. … The intersection of that philosophy and the Internet has been an ongoing 25 year security disaster with no end in sight.

What can be done? 140Mandak262Jamuna just shrugs:

Sensible people do not have the market clout to force MS to do the right thing. … Try to make the best of the situation.

It sucks. … But MS does not care. Its user base does not care. So we need to do what it takes to protect ourselves.

Meanwhile, Nowicki neatly sums up the problem:

0-click, 0-day in a core Windows application. Nice.

And Finally:

Dave deftly demonstrates registry revocation

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Andreea Popa (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi

Secure Guardrails