A patch is now released for the critical zero-day Follina vulnerability

Patch Released Critical Zero Day Vulnerability Follina RCE Windows OS

The recently found Follina zero-day vulnerability (CVE-2022-30190), with a CVSS score of 7.8, has finally been issued with a fix that could address the issues it could bring upon Microsoft users.

Follina affects Microsoft Support Diagnostic Tool (MSDT) with a remote code execution (RCE) vulnerability through MS Word files that utilises its remote template feature to download and install a malicious HTML payload. Once the HTML file was installed, it would allow the threat operators to load and launch PowerShell code in the victim’s Windows machine.

Moreover, the threat operators can then run arbitrary code using the privileges of the users, including installing programs, modifying data, and creating new user accounts. It also does not require macros in its attacks, thus removing the need for the victims to be tricked into enabling macros to commence the attack.

 

Threat actors have exploited the Follina zero-day vulnerability since its discovery last month to drop payloads like Qbot and AsyncRAT.

 

Some reported cases of Follina vulnerability abuse include phishing operators targeting the US and European governments through malware-infected RTF documents. A Chinese group TA413 APT was also found exploiting Follina to target the Tibetan diaspora. The Sandworm APT from Russia is also said to have abused the zero-day flaw to attack hundreds of Ukrainian media firms.

Microsoft also released other remote code execution vulnerabilities alongside Follina, including CVE-2022-30136, CVE-2022-30163, and CVE-2022-30147. These notable critical flaws all affect Windows in different areas that could also highly impact users and their security if abused by threat actors.

As per Microsoft, the CVE-2022-30147 with a CVSS score of 7.8 affects the Windows Installer through the hackers elevating their access to an administrative level, allowing them to deactivate important security tools to launch their attacks easily. Moreover, ransomware operators could also find this flaw exploitable since they could elevate their access before encrypting highly sensitive files.

About the author

Leave a Reply