By Susan Bradley

Once again, we are faced with several zero days that are plaguing Office and Windows.

Accordingly, I am raising the MS-DEFCON alert level to 2.

At this time, the vulnerabilities are being used in targeted attacks and ones that are more probing in nature (probes test the ability of the attack to get in but don’t take action). So far, we have not seen widespread attacks, but there are some ways you can proactively protect yourself.

“Follina” is a Microsoft Office flaw that is being tracked by Microsoft as CVE-2022-30190. Researcher Kevin Beaumont tweeted about this in May, describing it as a misuse in the Microsoft Support Diagnostic Tool (MSDT). The exploit is activated when the victim opens a malicious document. with Follina, the file preview appears in Explorer, and Protected View is not triggered while the exploit is executed. Attackers can exploit this vulnerability to gain privilege escalation on a system and gain “god mode” access to the impacted system. Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 were impacted by the flaw.

If you set the Defender Attack Surface reduction rules to block Office from creating child processes, the vulnerability will be kept at bay. I prefer using the ASR GUI tool. Download the exe file, run it, and choose Block Office from creating child processes.

Alternatively, use the Windows command line (run as administrator) to execute registry actions. This one disables the troubleshooting wizards:

This one disables search:

For complete details, see my Zero day in office – but don’t panic post, and see follow-ups in the forum topic.

This month is a “late” patching month because security updates come out on the second Tuesday of the month. That means over two weeks would have elapsed from the first notifications about this problem. As of this alert, we don’t know whether Microsoft will deploy an out-of-band update or wait until June 14, Patch Tuesday. We will issue an alert if an out-of-band update is released.

In the meantime, your only option is to download a free fix for Follina from 0Patch. It has fixes for Windows 11 21H2; Windows 10 versions 21H2, 21H1, 20H2, 2004, 1909, 1903, 1809, and 1803; Windows 7; and Windows Server 2008 R2.

If you’re new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed. See details in our Knowledge Base post Installing and using 0patch.

Because I don’t see any indication of a widespread use of this attack, I consider the risk to consumers very low. If an out-of-band patch is issued, I’ll reassess and let you know.

For business users, I recommend that you deploy ASR rules and keep them on. (More on ASR rules here.) In fact, there are several other rules that you may want to consider enabling in a business setting. A recent blog post by Palantir is an excellent recap of which settings probably will not have any side effects and thus will protect your network better.

I’m sure this will not be the last zero day we will be scrambling to deal with. ASR rules help protect better. If you are not using them now, I recommend you take the time to test and deploy them. Note that Defender must be your antivirus solution. With merely Windows 10 Professional, you can enable ASR and better protect targeted workstations.

Again, I will be providing additional guidance with recommended timing of deployment, should an out-of-band patch show up.

References

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.