Zero-Day "Follina" Vulnerability in MS Office Products

How am I am able to secure my endpoints from this latest Zero-Day vulnerability?

We have more information on our blog here: https://www.automox.com/blog/follina-zero-day 

 

Answer

No patch has been released yet. Microsoft has released a temporary workaround which we recommend applying in the interim until patches are released.

 

The Automox team has created PowerShell scripts you can use in a Worklet to apply the temporary workaround to your Windows estate. These are based on the recommended workaround steps from Microsoft.

 

Worklet Evaluation Code to Remove Registry Key:

#################################################

################ BEGIN MAIN CODE ################

#################################################

# Mount HKey_Classes_Root as drive

New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null

# Tests for HKCR:\ms-msdt

if(Test-Path -Path "HKCR:\ms-msdt")

{

# Key found triggering remediation

Remove-PSDrive HKCR

Exit 1

}

# Key not found, no remediation needed

Remove-PSDrive HKCR

Exit 0

Worklet Remediation Code to Remove Registry Key:

# Variable used to specify export location of regkey. Directory will be created if not present

$regExportdir = "C:\regExport"

#################################################

################ BEGIN MAIN CODE ################

#################################################

# Mount HKey_Classes_Root as drive

New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null

# Tests for HKCR:\ms-msdt

if(Test-Path -Path "HKCR:\ms-msdt")

{

# Detect if export dir exists and creates if needed

if(!(Test-Path $regExportdir))

{

New-Item -Path $regExportdir -ItemType Directory | Out-Null

}

# Create arguments for Reg

$regArgs = 'export HKCR\ms-msdt ' + "$regExportdir" + '\ms-msdt.reg /y'

# Exports HKCR:\ms-msdt to the $regExportdir

Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "$regArgs" -Wait

# Deletes HKCR:\ms-cxh"

Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "delete HKCR\ms-msdt /f" -Wait

# Validation

if(Test-Path -Path "HKCR:\ms-msdt")

{

Write-Output "Failed to delete registry key"

Remove-PSDrive HKCR

exit 5

}

Write-Output "Successfully Exported Key to $regExportdir"

Remove-PSDrive HKCR

Exit 0

}

Write-Output "ms-msdt key is not present on this device"

Remove-PSDrive HKCR

Exit 0

 

Once patches have been released and you’ve applied them, you can undo the workaround with the following Worklet:

 

Worklet Evaluation Code to Import/Add Registry Key:

#################################################

################ BEGIN MAIN CODE ################

#################################################

# Mount HKey_Classes_Root as drive

New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null

# Tests for HKCR:\ms-msdt

if(!(Test-Path -Path "HKCR:\ms-msdt"))

{

# Key not found triggering remediation

Remove-PSDrive HKCR

Exit 1

}

# Key found, no remediation needed

Remove-PSDrive HKCR

Exit 0

Worklet Remediation Code to Import/Add Registry Key:

# Variable used to specify previous export location of regkey. Script will cancel if not present

$regExportdir = "C:\regExport"

#################################################

################ BEGIN MAIN CODE ################

#################################################

# Mount HKey_Classes_Root as drive

New-PSDrive -PSProvider Registry -Name HKCR -Root HKEY_CLASSES_ROOT | Out-Null

# Tests for HKCR:\ms-msdt

if(!(Test-Path -Path "HKCR:\ms-msdt"))

{

# Detect if export dir exists and creates if needed

if(!(Test-Path "$regExportdir\ms-msdt.reg"))

{

Write-Output "Exported regkey is not present. Cancelling..."

Exit 0

}

# Create arguments for Reg

$regArgs = 'import ' + "$regExportdir" + '\ms-msdt.reg'

# Import ms-msdt.reg to the $regExportdir

Start-Process -filepath "$env:Windir\system32\reg.exe" -ArgumentList "$regArgs" -Wait

# Validation

if(!(Test-Path -Path "HKCR:\ms-msdt"))

{

Write-Output "Failed to import registry key"

Remove-PSDrive HKCR

exit 5

}

Write-Output "Successfully imported Key."

Remove-PSDrive HKCR

Exit 0

}

Write-Output "Key is already present on this device"

Remove-PSDrive HKCR

Exit 0

 

Was this article helpful?
0 out of 0 found this helpful