Already mentioned back in 2020 this monday 05/30/2022 security researchers officially reported the so called “Follina” remote code execution vulnerability (CVE-2022-30190) in the Microsoft Support Diagnostic Tool (MSDT).
In Microsoft Office applications like Word or Excel a user can create a document from a template. The template is then downloaded from an external server. This feature can be exploited: An attacker points the external reference to his own server where instead of the template a HTML document is downloaded. The HTML file contains a script tag (-> client side execution) inside of which it invokes the Microsoft Support Diagnostic Tool using the ms-msdt URI schema. Within the invokation parameter it includes PowerShell code which is then executed.
An unaware user opens a MS Office document and in this moment game is over. The attacker can execute own code. Running a privilege escalation attack the attacker gains admin rights and has full control over the system. Note: Macros can be disabled.
The easiest way to protect your local machine is to remove the file type association for ms-msdt by deleting the ms-msdt URI schema registry key:
If you want to restore the registry key later:
For customers of Microsoft Defender for Endpoint it is also possible to set rules for Microsoft Defender’s Attack Surface Reduction. You can find details about it in this blog post by Microsoft.
Note: By default, MS Office opens documents from the internet in Protected View or Application Guard for Office. Both of them prevent the attack. However, this is just a little protection.