How to fix “Follina” MSDT exploit

What is “Follina” MSDT exploit

Update: 0patch.com team developed a series of micropatches to fix “Follina” MSDT exploit and patches for other Windows stability and security issues. Please, read more in this article or on the official website.

Quite recently, hackers found a new Windows vulnerability to aid the penetration of systems with malware. The exploit is inherently related to MSDT (Microsoft Support Diagnostic Tool) and allows cybercriminals to perform various actions by deploying commands through the PowerShell console. It was therefore called Follina and assigned this tracker code CVE-2022-30190. According to some reputable experts who researched this problem, the exploit ends up successful once users open malicious Word files. Threat actors use Word’s remote template feature to request an HTML file from a remote web server. Following this, attackers get access to running PowerShell commands to install malware, manipulate system-stored data as well as run other malicious actions. The exploit is also immune to any antivirus protection, ignoring all safety protocols and allowing infections to sneak undetected.

Microsoft does work on the exploit solution and promises to roll out a fix update as soon as possible. We thus recommend you constantly check your system for new updates and install them eventually. Before that, we can guide you through the official resolution method suggested by Microsoft. The method is to disable the MSDT URL protocol, which will prevent further risks from being exploited until an update appears. As a side note, you can also explore the list of what Windows versions have already been subject to getting exploited so far:

Disable MSDT URL protocol to fix the exploit

Internal Windows features allow the usage of Command Prompt to disable the operation of MSDT URL protocol. Below, we will have to perform a number of copy-paste commands. It will also be important to create a back of Windows Registry to restore the MSDT operation if necessary in the future. The steps written below are almost the same in all Windows systems, so there should not be any problem with that.

1. Click on search loop next to the Start Menu button and type cmd into the search bar.
2. Right-click on it and choose Run as administrator. Agree with the action to proceed.
3. Once you are in the Command Prompt console, copy-paste this command to create a backup file. Before executing the command, replace file_path with the location where you want to save your backup.

reg export HKEY_CLASSES_ROOT\ms-msdt file-path

4. Press Enter and wait a few moments until the backup ends up successfully created.
5. After this, you are ready to disable the protocol itself. Copy and paste this command and press Enter.

reg delete HKEY_CLASSES_ROOT\ms-msdt /f

6. Once you see a message saying The operation completed successfully, it will mean that the MSDT URL protocol has been disabled and can no longer be exploited.

How to enable the MSDT URL protocol again

Restoring the already disabled MSDT URL protocol is very easy. This can be done after Microsoft rolled out a solution method that rectifies security risks. You will simply have to import the backup file that was created before switching the protocol off.

1. Open the same Command Prompt using the steps listed above.
2. Copy-paste this command and replace file_path with the location where your backup file was saved.

reg import

3. Press Enter and wait until a message about successful completion appears.

Summary

Although the exploit itself may sound intimidating, it is not hard to resolve using a couple of Command Prompt lines. We hope you managed to do this and now feel more protected against future attempts to exploit your system from aside. Triggering malware infections through maliciously-modified macros-based files like Word is, in general, a very popular method abused by attackers. Various viruses like ransomware and trojans can also be distributed through such files in e-mail messages, which once opened, cause irreversible installation of malware. It is therefore important to stay away from unwanted content advertised on dubious pages or e-mail letters, for instance.