Threat Response – UPDATE: Zero-day vulnerability in Microsoft Office

15-06-2022

Dear reader,

On Tuesday May 31st, we informed about a new Vulnerability in Microsoft Office, named ‘Follina’ [1]. At the time of that Threat Response, there was no patch released yet by Microsoft. As part of the Patch Tuesday of June 14th, a patch was released that fixes the vulnerability in the Windows Microsoft Diagnostic Tool (MSDT) [2, 3]. We would like to inform you about the new information and mitigation steps available. We recommend to install this patch as soon as possible.

Risk

At the time of the previous Threat Response, there was no party using this vulnerability at large scale. Since then, the vulnerability has been part of multiple attacks, including Qbot [4]. Because of this, we still estimate the risk level as high.

Mitigation

Microsoft released a patch fixing the vulnerability in the ms-msdt protocol for Windows and Windows Server. The updates are part of the cumulative monthly updates for Windows. For Windows Server, an additional standalone patch is available as well [3].

We recommend to install these patches as soon as possible, even if the workaround was applied by disabling the ms-msdt handler. It is possible that certain functionality of other windows applications will not function properly disabling the handler [5]. Because of this, we recommend to re-enable this handler after applying the patch.

What should you do?

Install the latest updates for Windows and Windows Server.

What will Northwave do?

Northwave will monitor developments around these vulnerabilities. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Sources

[1]: https://northwave-security.com/threat-response-zero-day-vulnerability-in-microsoft-office/

[2]: https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2022-patch-tuesday-fixes-1-zero-day-55-flaws/

[3]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

[4]: https://www.bleepingcomputer.com/news/security/qbot-malware-now-uses-windows-msdt-zero-day-in-phishing-attacks/

[5]: https://twitter.com/MalwareJake/status/1531022209011048450

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.