Long Arrow Right External Link angle-right Search Times Spinner angle-left

Preventing the Exploitation of CVE-2022-30190 (Follina)

 

CVE-2022-30190, otherwise known as Follina, is a vulnerability in Microsoft Office that when exploited permits arbitrary code to be executed on the target machine by Microsoft Support Diagnostic Tool (MSDT). ThreatLocker can help protect your environment from this exploitation.

First, we recommend you work with your Solutions Engineer and get your endpoints locked down and secure as quickly as possible.

By default, every computer group automatically has Ringfenced Policies included for the powerful, and commonly abused Windows tools such as CMD and PowerShell that will prevent their communication with the internet unless you have added in exceptions or removed the internet Ringfencing. We recommend you ensure that internet Ringfencing is applied to these tools. You can also set these Ringfenced Policies themselves in a 'Secured' status so that even if a machine is in Learning Mode, the Policy will be enforced.

undefined

ThreatLocker also recommends that the default Microsoft Office (Ringfenced) Policy be edited to add MSDT.exe to the Application Interaction Ringfencing section. Any new partners will have this automatically added for them. Existing partners will need to add this manually.

Please note: In order for the Application Interaction Ringfencing to work, you need to first create an Application Control Policy to Permit MSDT.exe. 

Adding the MSDT Suggested Policy

  • Navigate to Application Control > Policies.
  • Select 'Add Suggested Policies'.  
  • Select the checkbox next to the MSDT suggested Ringfencing Policy and click the 'Add Suggested Policy' button at the top of the page.
undefined

Editing the Microsoft Office (Ringfenced) Policy 

  • Navigate to Application Control > Policies.
  • Find the Microsoft Office (Ringfenced) Policy. Click the Edit Button beside the policy.
undefined

  • Scroll down to the Application Interaction tab. Type MSDT into the searchable dropdown to locate the BUILT-IN/msdt.exe (Built-In) application. Then click the 'Add' button to add MSDT to the list of Applications Office is blocked from interacting with.
undefined

  • Be sure to click the 'Save' button in the top left-hand corner of the Policy window. Click the 'Deploy Policies' button.

Adding these extra layers of protection will help ensure that even if a malicious .docx file makes its way into your environment, Office can't use MSDT to open it, and PowerShell or CMD can't reach out to the internet to download the payload.