How to Fix Microsoft “Follina” MSDT Windows Zero-Day Vulnerability

Microsoft has acknowledged a critical zero-day vulnerability in Windows affecting all major versions, including Windows 11, Windows 10, Windows 8.1, and even Windows 7. The vulnerability, identified with tracker CVE-2022-30190 or Follina, allows attackers to remotely execute malware on Windows without triggering Windows Defender or any other security software. Fortunately, Microsoft has shared an official workaround to mitigate the risk. In this article, we have detailed the steps to protect your Windows 11/10 PCs against the latest zero-day vulnerability.

Fix MSDT Windows Zero-Day “Follina” Vulnerability (June 2022)

What is the Follina MSDT Windows Zero-Day Vulnerability (CVE-2022-30190)?

Before we discuss the steps to fix the vulnerability, let’s understand what the exploit is all about. Known with tracking code CVE-2022-30190, the zero-day exploit is related to Microsoft Support Diagnostic Tool (MSDT). With this exploit, attackers can remotely execute PowerShell commands through MSDT when opening malicious Office documents.

“A remote code execution vulnerability exists when MSDT is invoked using the URL protocol from a calling application such as Word. An attacker who successfully exploited this vulnerability can execute arbitrary code with the privileges of the calling application.The attacker can then install programs, display, modify or delete data, or create new accounts within the framework authorized by the user’s rights. explains Microsoft.

As researcher Kevin Beaumont explains, the the attack uses Word’s remote template feature to retrieve an HTML file from a remote web server. It then uses the MSProtocol ms-msdt URI scheme to load code and execute PowerShell commands. As a side note, the exploit was given the name “Follina” because the sample file refers to 0438, the area code for Follina, Italy.

At this point, you might be wondering why Microsoft’s Protected View won’t prevent the document from opening the link. Well, that’s because execution could occur even beyond the scope of Protected View. As Researcher John Hammond Underline on Twitter, the link can be run directly from the Explorer preview pane as a Rich Text Format (.rtf) file.

According from Ars Technica report, Shadow Chaser Group researchers had brought the vulnerability to Microsoft’s attention as early as April 12. Although Microsoft responded a week later, the company seems to have rejected it because they could not reproduce the same on their side. Nevertheless, the vulnerability is now reported as zero-day and Microsoft recommends disabling the MSDT URL protocol as a workaround to protect your PC against the exploit.

Is my Windows PC vulnerable to the Follina exploit?

On its security update guide page, Microsoft has listed 41 Windows versions vulnerable to Follina CVE-2022-30190 vulnerability. It includes Windows 7, Windows 8.1, Windows 10, Windows 11, and even Windows Server editions. See the full list of affected versions below:

  • Windows 10 version 1607 for 32-bit systems
  • Windows 10 version 1607 for x64 systems
  • Windows 10 version 1809 for 32-bit systems
  • Windows 10 Version 1809 for ARM64-based systems
  • Windows 10 Version 1809 for x64 systems
  • Windows 10 version 20H2 for 32-bit systems
  • Windows 10 Version 20H2 for ARM64-based systems
  • Windows 10 Version 20H2 for x64 systems
  • Windows 10 version 21H1 for 32-bit systems
  • Windows 10 Version 21H1 for ARM64-based systems
  • Windows 10 Version 21H1 for x64 systems
  • Windows 10 version 21H2 for 32-bit systems
  • Windows 10 Version 21H2 for ARM64-based systems
  • Windows 10 Version 21H2 for x64 systems
  • Windows 10 for 32-bit systems
  • Windows 10 for x64 systems
  • Windows 11 for ARM64-based systems
  • Windows 11 for x64 systems
  • Windows 7 for 32-bit systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows 8.1 for 32-bit systems
  • Windows 8.1 for x64 systems
  • Windows RT 8.1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (server core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (server kernel installation)
  • Windows Server 2016
  • Windows Server 2016 (server core installation)
  • Windows Server 2019
  • Windows Server 2019 (server core installation)
  • Windows Server 2022
  • Windows Server 2022 (server core installation)
  • Windows Server 2022 Azure Edition Core Patch
  • Windows Server, version 20H2 (server kernel installation)

Disable MSDT URL protocol to protect Windows against Follina vulnerability

1. Press the Win key on your keyboard and type “Command” or “Command Prompt”. When the result appears, choose “Run as administrator” to open an elevated command prompt window.

run command prompt as administrator in Windows

2. Before modifying the registry, use the command below to make a backup. This way, you can choose to restore the protocol once Microsoft has rolled out an official fix. Here, the file path refers to where you want to save the backup .reg file.

reg export HKEY_CLASSES_ROOT\ms-msdt <file_path.reg>
back up your registry

3. Now you can run the following command to disable the MSDT URL protocol. If successful, you will see the text “The operation completed successfully” in the command prompt window.

reg delete HKEY_CLASSES_ROOT\ms-msdt /f
command to disable msdt url protocol

4. To restore the protocol later, you will need to use the registry backup you made in step two. Run the command below and you will have access to the MSDT URL protocol again.

reg import <file_path.reg>
restore registry key

Protect Your Windows PC Against MSDT Windows Zero-Day Vulnerability

So, these are the steps you need to follow to disable MSDT URL protocol on your Windows PC to prevent Follina exploit. Until Microsoft rolls out an official security patch to all versions of Windows, you can use this handy workaround to stay protected against the CVE-2022-30190 Windows Follina MSDT zero-day vulnerability. Speaking of protecting your PC against malware, you may also consider installing dedicated malware removal tools or antivirus software to stay safe from other viruses.