Mike Walters, President and Co-founder of Action1
Last week the infosec community was hit with news about a new Windows 0-day vulnerability, Follina. Although the vulnerability, tracked as CVE-2022-3019, received a CVSS score of 7.8 on a scale of 10, underestimating its danger would be a huge mistake — and here is why.
First of all, the potential scale for exploiting this flaw is shocking — it affects most Windows versions from Windows 7 SP1 to Windows 11, and there are more than 1.4 billion monthly active devices running Windows 10 or Windows 11 alone. Moreover, Follina doesn’t require Office macros to be enabled, doesn’t need elevated privileges to run, and it isn’t detected by Windows Defender.
Follina relates to the Microsoft Diagnostic Tool (MSDT) and enables attackers to execute remote code when a user opens a malicious Word document. While using Protected View will flag the document as possibly malicious, if the document is converted to Rich Text Format (RTF), the vulnerability can be exploited if the user views the file in the Windows Explorer preview pane. The attacker can then install programs; view, change, or delete data; or create new accounts in the context allowed by the user’s rights. Plus, the proof of concept (POC) is publicly available, so every hacker can create an exploit themselves or purchase one on the darknet.
Therefore, mitigating the risk from this vulnerability requires a comprehensive approach.
- Keep all endpoints patched and updated using automated processes.
While no official patch is available, there is a workaround. Microsoft suggests that organizations disable the MSDT URL protocol by running a script on each vulnerable machine.
Implementing these measures, however, can be difficult if IT teams have to manually fix one endpoint after another. Many companies still rely on legacy processes or unwieldy tools for endpoint management, and have many devices located outside of the company’s perimeter. Given that one survey found that about one in four servers, laptops, and desktops are not centrally managed, it’s no surprise that 55% of IT leaders rank lack of automation as their #1 security challenge.
Plus, when Microsoft does release an official patch, IT teams will have to revert the changes they made for the workaround, and then install the new patch, going through the same tedious and error-prone process — giving attackers more time to exploit the vulnerability. All in all, Follina is a good reason to empower your IT team to automate management across both remote and in-office endpoints.
- Educate your users about sophisticated phishing emails.
In addition to technical mitigations, IT teams should also consider the human factor. This sounds obvious — after all, most companies today have some sort of cybersecurity awareness training. Still, it’s vital to remember that many users are not focused on cybersecurity; they consider it an add-on to their primary responsibilities. So repeating the key lessons is essential, especially when a threat as serious as Follina appears.
A simple yet effective measure could be to send a newsletter that explains how to identify a sophisticated phishing campaign, illustrates how exploits work using a recent Windows zero-day as an example, and details how dire the consequences could be.
- Strengthen your security posture against attacks.
Although the two previous strategies will mitigate the risk of successful exploitation significantly, they do not obviate the necessity of having an effective, defense-in-depth security strategy. It is essential to prevent infection from spreading across the organization’s system in case of compromise and to enable quick recovery in the worst-case scenario.
In particular, IT teams should ensure that all the following cyber-resilience measures are in place:
- Next-gen firewalls that allow network traffic only through certain ports and protocols and that monitor traffic and block malicious activity
- Finely tuned spam filters that prevent phishing emails from reaching user mailboxes
- Up-to-date endpoint protection and antivirus software on remote and in-office endpoints that can detect and remove malware that gets into the system
- Network segmentation that prevents malware from spreading across the corporate network
- An intrusion detection and prevention system (IDPS) that can spot and block network attacks
- An incident response plan that has been thoroughly tested and regularly practiced
- A reliable and comprehensive backup and recovery strategy
Follina will test an organization’s entire security strategy, from technologies to processes to people. Indeed, researchers have already found ways to combine Follina with other flaws to create even more effective exploits. Moreover, the issue will not end with a patch for this single vulnerability; new serious flaws will inevitably be discovered. To protect their organizations, IT teams need more than ever to be ready to respond quickly to such challenges, which includes having automated scripting and patching capabilities.
Mike Walters is President and co-founder of Action1 Corporation, which provides remote monitoring and management software. Mike has more than 20 years of experience in cybersecurity. Prior to Action1, Mike co-founded Netwrix, whose visibility platform for cybersecurity and risk mitigation is helping more than 10,000 customers.