What is Follina about?
Microsoft has confirmed what has become known as the Follina vulnerability, CVE-2022-30190, which allows remote code execution (RCE) “when MSDT is invoked using the URL protocol from an application such as Word.” In an analysis, security firm Huntress expects the vulnerability to be exploited on a larger scale in the coming days.
The vulnerability allows attackers to execute arbitrary code with the privileges of the calling application, Microsoft said. The perfidious thing about the vulnerability is that activating macros or opening the Office programme is not necessary to cause an infection: It is sufficient to trigger a hover preview in a downloaded file.
Far-reaching consequences of infection
If a computer is infected, the attacker can “install programmes, view, change or delete data, or create new accounts in the context allowed by the user’s privileges,” Microsoft explains. In addition, Microsoft points out that so-called chaining of vulnerabilities is also conceivable. In this case, a vulnerability such as Follina is used to infect the computer; further vulnerabilities are then used, for example, to extend the rights.
How can you protect yourself?
Microsoft advises disabling the MSDT URL protocol. To do this, the command prompt must be started as administrator and the registry key must be saved with two commands and then deleted. Microsoft also mentions the cloud protection of its Defender antivirus software.
Protection against Follina by NoSpamProxy
Content Disarm and Reconstruction (CDR) disarms Word and Excel files
NoSpamProxy customers benefit from the integrated PDF conversion, also called Content Disarm and Reconstruction (CDR), which converts Microsoft Word and Microsoft Excel documents as well as PDF documents into harmless PDF files, whereby any existing malicious code is removed. The PDF file can then be used without hesitation and the original file either left attached to the email or removed.
The content filter blocks other dangerous formats
As far as is currently known, all Office formats as well as RTF files are affected by the security vulnerability. This includes Word (e.g. DOC, DOCX, DOCM and DOTM) and Excel (e.g. XLS, XLSX, XLSM and XLTM) as well as common file formats such as PowerPoint (e.g. PPT, PPTX, POTX and PPTM).
We strongly recommend that you configure the content filter in NoSpamProxy in such a way
- that attachments in the affected file formats are moved to the web portal and remain there until manual release or
- that attachments in the affected file formats are removed or the entire email is rejected.
For attachments in RTF format, we strongly recommend removing the attachment or rejecting the email.