Shortly after Microsoft shared mitigation for the zero-day MSDT vulnerability, which is tracked as CVE-2022-30190 and known as Follina, the 0patch team announced that they have released a patch. The team stated that the patch doesn’t disable MSDT completely but adds sanitization of the user-provided path. The vulnerability is being exploited in the wild and allows attackers to execute malicious code remotely.
We've analyzed CVE-2022-30190 "Follina" vulnerability and found a good place to inject our patch. The patch will not completely disable MSDT protocol handler but just add sanitization of user-provided path that is currently missing in the Windows script. ETA: tomorrow.
— 0patch (@0patch) May 31, 2022
Under attack
0patch team stated that if Office is installed on a device, the vulnerability can be exploited through other attack vectors. To be able to deploy the micropatch, users need a 0patch account. The patch will be automatically downloaded and applied when de 0patch agent is launched and reboot is not required. Micropatches were written for:
- Windows 11 v21H2
- Windows 10 v21H2
- Windows 10 v21H1
- Windows 10 v20H2
- Windows 10 v2004
- Windows 10 v1909
- Windows 10 v1903
- Windows 10 v1809
- Windows 10 v1803
- Windows 7
- Windows Server 2008 R2
On the other hand, security firms are pinpointing hacker groups exploiting the vulnerability. Proofpoint stated that the Chinese TA413 hacker group is exploiting the vulnerability to attack Tibetan diaspora dissidents. MalwareHunterTeam also said that they found malicious documents with Chinese names being used to deploy trojans that are capable of stealing passwords. CISA also urged admins to apply Microsoft’s mitigation solution as soon as possible.