Well folks, it wouldn’t be a day ending in Y without something new for a JumpCloud admin to do. And more seriously, this is my first JumpCloud blog post, and there’s a reason why I was so inspired to write about this. It’s important.
Something that needs to be on your to do list today is protecting your business assets from a Windows vulnerability called Follina.
What is Follina?
Follina is a zero day vulnerability that impacts all versions of Windows. This represents a large security gap that has no patch AND there is remote code execution involved. This means that the chance of impact is higher than most businesses are willing to risk.
As a former administrator and ally, I invite you to take a few minutes to understand Follina. You are about to realize just how valuable your time really is, and you’ll finish this post wanting to invest a little bit of that time protecting your business from Follina.
How can Follina get access to your business?
Should you even be concerned? One way the exploit can easily enter your world is through a WORD document, likely from a phishing email. So if you don’t close this vulnerability from the get go, it’s quite likely that someone you work with is going to let Follina in. And just by doing something as mundane as opening an e-mail attachment!
Opening that attachment is exactly what the hacker is hoping for. Once it is opened, the hacker’s exploit will execute code that reaches out to the Internet, downloads a tool kit, and ends up with a remote shell. It will harness an exploit in the Microsoft Diagnostic Tool, or MSDT, which is a legitimate helpful program…when it isn’t being exploited.
With control over the remote shell, a hacker can do whatever he or she wants. Lovely day ending in Y, isn’t it? This is exactly why we have security training. And it’s also why we patch. Since there is no patch for this exploit, what can you really do about it?
How to Mitigate Follina with JumpCloud
Microsoft has suggested a workaround that you can leverage with the help from JumpCloud. And you can use it simply and quickly on all your devices, no matter where they are.
You’re about to disable the Follina exploit. Let’s do this!
Test these instructions on a device or two before you execute on a large scale.
Create and run the following JumpCloud Command
c:\windows\system32\reg.exe query HKEY_CLASSES_ROOT\ms-msdt c:\windows\Temp\ms-msdt_Reg_Backup
The first line of the above command will back up the registry key that gets deleted in the second line.
The second line of the above will disable the Follina exploit by preventing the hacker from launching MSDT.
Now all you need to do is look at the Command Result Details to validate that the command ran successfully. If the logged result is “The operation completed successfully,” you should be good to go.
If something fails or you need to re-run the tests: be sure to restore the registry key first. You can create another JumpCloud command for the key restore or you can restore by running from the command prompt as administrator.
C:windows\system32\reg.exe import c:\windows\Temp\ms-msdt_backup
When you’re done, log a record of your steps in a journal or wherever you record your completed custom work. This simple registry edit is an approach you can come back to whenever you need it in the future.
And hey, remember, your time and skills are valuable. Don’t forget to remind your manager that you used yours to protect the business today!
- You can find Microsoft’s workaround and restore method here
- You can also read about how CrowdStrike Falcon protects customers from Follina
Learn more about JumpCloud
The JumpCloud platform connects you to more things and is free for 10 devices and 10 users. You’ll also receive complimentary premium chat support and can ask questions with your peers in our community. Support is available 24×7/365 within the first 10 days of your account’s creation.