Skip to content

Defense Digests

Microsoft Windows Support Diagnostic Tool(Msdt) Remote Code Execution Vulnerability

Dataprise Defense Digest 550x550

Table of content

EXECUTIVE SUMMARY

Microsoft Security Center, along with other researchers, have discovered a vulnerability in Microsoft’s support diagnostic tool(MSDT) dubbed “Follina”. It allows attackers to run remote code execution(RCE) with privilege escalation. It is currently being exploited in the wild. Microsoft released a patch for this vulnerability with the June 2022 cumulative Windows Updates.

ID: D3-2022-0005-1

Severity: 7.3 (HIGH)

Published: June 14th, 2022

IMPACT

The RCE (Remote Code Execution) vulnerability happens through MSDT by using the URL Protocol from any office application that could call it, for example, Word. Please note, the attacker has to run it locally. It has the potential to have a significant impact because of how easy it is to execute and its ability to bypass internet security “Protected Views”, and also because there is no current fix from Microsoft. It affects the following versions of Windows:

  • Windows Servers 2012, 2012 R2, 2008, 2008 R2(32-bit and 64-bit), 2019, 2022, 2022 Azure Edition Core Hotpatch
  • Windows RT 8.1
  • Windows 8.1
  • Windows 7
  • Windows 10
  • Windows 10 version 1607
  • Windows 10 version 21H2
  • Windows 10 version 20H2
  • Windows 11 for ARM
  • Windows 11

DETAILED ANALYSIS

According to Fortinet, The vulnerability is found within “msdt.exe”. This tool is normally used to diagnose problems with the Windows OS, and then send all details back to Microsoft. It will allow threat actors to execute arbitrary code, with privileges the same as the application that opens it. This means that if Word was running with admin privileges, the threat actor can run code as an administrator. MSDT can open URLs through Object Linking and Embedding (OLE) inside Word documents, Excel spreadsheets, etc. A threat actor could write a macro that leverages OLE to open an embedded malicious URL.

Screenshot 1: OLEs with external link embedded. (Provided by Fortinet)

Screenshot 2: HTML document invoked by MSDT. (Provided by Fortinet)

Screenshot 3: Decoded Powershell command inside HTML payload invoked by MSDT. (Provided by Fortinet)

The vulnerability is currently being exploited by APT TA413, a hacking group linked to the Chinese nation-state. They are currently using it to send attacks to Tibet. The group sends out Word documents in .zip files with embedded malicious code. They have impersonated campaigns such as the Women’s Empowerments Desk of the Central Tibetan Administration, using the domain “Tibet-gov.web[.]app. This was observed on May 30th.

MITIGATION STEPS

Apply the June 2022 cumulative Windows Updates to patch this zero day vulnerability.

SOURCES

CONTRIBUTING AUTHORS

  • Susan Verdin, Cybersecurity Analyst
  • Daniel Mervis, Cybersecurity Analyst
  • Stephen Jones, Vice President Cybersecurity

Recent Tweets

INSIGHTS

Learn about the latest threats and vulnerabilities with our D3 alerts.

Subscribe to get real-time notifications when a new Dataprise Defense Digest is published.