0Patch Micro patch against Follina vulnerability (CVE-2022-30190) in Windows

Windows[German]The ACROS Security team around founder Mitja Kolsek has released a micro-patch to close the 0-click Microsoft Diagnostic Tool remote code vulnerability (CVE-2022-30190, Follina). The micro-patch is available for all customers with Windows and the 0patch agent free license. Here is some information about it.


Windows Follina vulnerability (CVE-2022-30190)

A new vulnerability CVE-2022-30190 named Follina in Microsoft Support Diagnostic Tool (MSDT) has been known since the weekend, which can be exploited in Windows in combination with Microsoft Office and Powershell. The vulnerability allows remote code execution when MSDT is invoked via the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the calling application. The attacker may then be able to install programs, view, modify or delete data, or create new accounts in the context allowed by the user's privileges.

I had published details in the blog posts Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks and Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190). A support document Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability is now available from Microsoft, which also provides guidance on mitigating the vulnerability.

Windows Defender detects attack attempts and blocks them. Nevertheless, there is a risk that the previously unpatched vulnerability will be exploited – only attack attempts have been observed for weeks.

New micro-patch for the vulnerability

After analyzing the vulnerabilities, the team at ACROS Security, which has been providing the 0Patch solution for years, has developed micro-patches for Windows versions that are no longer officially supported and is now making them available to customers. Mitja Kolsek drew attention to this solution via Twitter and sent me a private message regarding it.

0patch for Follina


Details are described in this 0patch blog post from June 1, 2022. Mitja Kolsek and his team have found a way to block attacks via msdt.exe, regardless of how msdt.exe was started, via micro-patch.

(Source: YouTube)

The video shows how the micro-patch works. Since this is a 0-day vulnerability for which no official vendor patch is available, the developers at ACROS Securiy are making the micro-patch available for free via the Free 0Patch agent until such a fix becomes available. The micro-patches were written for:

  1. Windows 11 v21H2
  2. Windows 10 v21H2
  3. Windows 10 v21H1
  4. Windows 10 v20H2
  5. Windows 10 v2004
  6. Windows 10 v1909
  7. Windows 10 v1903
  8. Windows 10 v1809
  9. Windows 10 v1803
  10. Windows 7
  11. Windows Server 2008 R2
  12. Windows Server 2012
  13. Windows Server 2012 R2
  14. Windows Server 2016
  15. Windows Server 2019
  16. Windows Server 2022

Notes on how the 0patch agent, which loads micropatches into memory at an application's runtime, works can be found in blog posts (such as here).

Similar articles
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service
0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service
0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows
0patch fixes ms-officecmd RCE vulnerability in Windows
0patch fixes RemotePotato0 vulnerability in Windows
0patch fixes again vulnerability CVE-2021-34484 in Windows 10/Server 2019
0Patch fixes vulnerabilities (CVE-2022-26809 and CVE-2022-22019) in Windows

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

One Response to 0Patch Micro patch against Follina vulnerability (CVE-2022-30190) in Windows

  1. Robert-Jan says:

    You can also use the command below to add a registry key that blocks MSDT

    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics" /t REG_DWORD /v EnableDiagnostics /d 0 /f

Leave a Reply

Your email address will not be published. Required fields are marked *