Security Bulletin: Microsoft Office’s Follina Vulnerability

What You Need to Know and How to Overcome it

Written by Michelle McGough on June 2, 2022

Share This Article

Well folks, it wouldn’t be a day ending in Y without something new for a JumpCloud admin to do. And more seriously, this is my first JumpCloud blog post, and there’s a reason why I was so inspired to write about this. It’s important.

Something that needs to be on your to do list today is protecting your business assets from a Windows vulnerability called Follina.

What is Follina?

Follina is a zero day vulnerability that impacts all versions of Windows. This represents a large security gap that has no patch AND there is remote code execution involved. This means that the chance of impact is higher than most businesses are willing to risk. 

As a former administrator and ally, I invite you to take a few minutes to understand Follina. You are about to realize just how valuable your time really is, and you’ll finish this post wanting to invest a little bit of that time protecting your business from Follina.

How can Follina get access to your business? 

Should you even be concerned? One way the exploit can easily enter your world is through a WORD document, likely from a phishing email. So if you don’t close this vulnerability from the get go, it’s quite likely that someone you work with is going to let Follina in. And just by doing something as mundane as opening an e-mail attachment!

Opening that attachment is exactly what the hacker is hoping for. Once it is opened, the hacker’s exploit will execute code that reaches out to the Internet, downloads a tool kit, and ends up with a remote shell. It will harness an exploit in the Microsoft Diagnostic Tool, or MSDT, which is a legitimate helpful program…when it isn’t being exploited.

With control over the remote shell, a hacker can do whatever he or she wants. Lovely day ending in Y, isn’t it? This is exactly why we have security training. And it’s also why we patch. Since there is no patch for this exploit, what can you really do about it? 

How to Mitigate Follina with JumpCloud

Microsoft has suggested a workaround that you can leverage with the help from JumpCloud. And you can use it simply and quickly on all your devices, no matter where they are.

You’re about to disable the Follina exploit. Let’s do this!

Test these instructions on a device or two before you execute on a large scale.

Create and run the following JumpCloud Command

c:\windows\system32\reg.exe query HKEY_CLASSES_ROOT\ms-msdt c:\windows\Temp\ms-msdt_Reg_Backup

The first line of the above command will back up the registry key that gets deleted in the second line. 

The second line of the above will disable the Follina exploit by preventing the hacker from launching MSDT.

Now all you need to do is look at the Command Result Details to validate that the command ran successfully. If the logged result is “The operation completed successfully,” you should be good to go.

If something fails or you need to re-run the tests: be sure to restore the registry key first. You can create another JumpCloud command for the key restore or you can restore by running from the command prompt as administrator.

C:windows\system32\reg.exe import c:\windows\Temp\ms-msdt_backup 

When you’re done, log a record of your steps in a journal or wherever you record your completed custom work. This simple registry edit is an approach you can come back to whenever you need it in the future. 

And hey, remember, your time and skills are valuable. Don’t forget to remind your manager that you used yours to protect the business today! 

Helpful Resources

Learn more about JumpCloud

The JumpCloud platform connects you to more things and is free for 10 devices and 10 users. You’ll also receive complimentary premium chat support and can ask questions with your peers in our community. Support is available 24×7/365 within the first 10 days of your account’s creation.

Michelle McGough

Michelle McGough is the Principal Product Manager for Windows on the Devices Team here at JumpCloud. With 20 years in Device Management Michelle is a subject matter expert with an emphasis on security and compliance automation. Michelle is a member of Austin Women in Tech and when she’s not working she enjoys volunteering, hiking, and karaoke.

Continue Learning with our Newsletter