Windows Users Must Be Aware of a New Found Exploit - Follina

Samrat Dutta

An exploit has been discovered recently and it can affect all versions of Windows.

What is the exploit?

According to experts in a report on Wired, this newly found exploit takes advantage of the MSDT (Microsoft Support Diagnostic Tool), which is a tool that is built into all versions of Windows. This tool basically helps the support team of Microsoft help the users with troubleshooting. This tool can be found easily by searching for “MSDT” in the Home menu of Windows. When an user needs help troubleshooting and they call the support team, they give the user a passcode. When this passcode is entered into the MSDT, it gives the support team access to some information about the device and software of the user. The support team can then use that information to locate the problem with the device and guide the user to efficient troubleshooting.

The exploit here works by using this very tool. It originally appears as an MSWord document or some other text document or even link files and shortcuts, which when opened, leads to a specially made URL. This URL is designed to run the MSDT and has the potential to bypass the security checks and the passcode requirement. This gives the malicious exploit access to very crucial information about the device and the user, which can then be used for mal-practices. And for anyone wondering, yes, URLs can be used to run applications on your computer. For example, if you open your browser and enter– “ms-calculator://”, it will run the calculator on your computer. These functions are built into all software and are activated during installation.

How to save yourself from this exploit?

The exploit is also being called a “0-Day exploit”, due to it being discovered for the first time. Hence, as of now, there are no new patches from the team at Microsoft that would solve this issue. However, the team at Microsoft has addressed this topic and published a workaround that lets the users avoid this exploit for the time being. This exploit is also called 'Follina'.

The way this workaround works is by deactivating the protocol that allows URLs to run the MSDT application on a device. This requires editing the registry. The troubleshooting application(s) can still be used from the “Get Help” application in Windows but URLs would not be able to access them directly.

To disable the protocol, one needs to follow these simple steps:-

1) Run Command Prompt as Administrator.

2) To back up the registry, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”

3) Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

After following these steps and executing these commands, if the command prompt shows that it has been executed successfully, then you should be safe. You can also do a little experiment and type in “ms-msdt://” in your browser, it will no longer run the MSDT and instead, would only do a search.

In case you wanted to re-enable the protocol then you can do so by executing the following command–

“reg import C:\ filename

Additional information and what to learn from this?

This exploit was originally found on April 12th of 2022 and reported to Microsoft, says an article on The Hacker News. The Microsoft team originally looked into the matter and concluded that it was not real security related issue as they were unable to replicate it on their own. Then, in May, a Twitter user found and reported a virus that he came across on a forum for viruses that had a text file which used this very exploit surrounding MSDT. After that, Microsoft realised that this was indeed a real security threat and we can determine that this exploit was indeed being used in the wild by people with malicious intent. For the time being, Microsoft has not released a patch yet but expects them to do it soon.

From this incident, we learn yet again that the internet is a place full of hostility. Cybercrime is on the rise and we do not know how many exploits remain undiscovered by the ethically stout people. All users must stay wary about such exploits and avoid suspicious links and documents to maintain their safety because when the time comes, the big corporations might fail to deliver security and individual safety resides in individual hands.

Comments / 18

Published by

I write about breaking news, technology, and interesting topics.


More from Samrat Dutta

Comments / 0