This week, we have written about the Follina zero-day vulnerability that allows for remote code execution on a victim’s computer. Despite having been known about for a number of weeks, Microsoft is still yet to issue a patch for the actively exploited critical security flaw, instead simply offering details of a workaround.
As has been the case in the past, a third party has come to the rescue. Micro-patching firm 0patch has released a free fix for the vulnerability — for Windows 11, Windows 10, Windows 7 and Windows Server 2008 R2 — which is tracked as CVE-2022-30190 and relates to the Microsoft Windows Support Diagnostic Tool (MSDT) component of Windows.
- Why has Microsoft still not fixed a weeks-old, actively exploited vulnerability affecting Windows 11 and more?
- Microsoft researchers discover serious security vulnerabilities in big-name Android apps
- Microsoft reveals workaround for Office zero-day vulnerability that can be used to launch malicious PowerShell commands
This is far from the first time 0patch has stepped up and done Microsoft’s work for it. While the Windows maker has provided a workaround that involves simply disabling the problematic component, 0patch has taken a rather more nuanced approach.
Tweeting about the release, 0patch says
In a blog post about the micropatch, 0patch’s Mitja Kolsek says:
It would be by far the simplest for us to just disable msdt.exe by patching it with a TerminateProcess() call. However, that would render Windows diagnostic wizardry inoperable, even for non-Office applications. Another option was to codify Microsoft’s recommendation into a patch, effectively disabling the ms-msdt: URL protocol handler.
But when possible, we want to minimize our impact outside of removing the vulnerability, so we decided to place our patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a “$(” sequence – which is necessary for injecting a PowerShell subexpression. If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running.
0patch points out that: “it doesn’t matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through other attack vectors. That is why we also patched Windows 7, where the ms-msdt: URL handler is not registered at all”.
There are patches available for the following versions of Windows:
- Windows 11 v21H2
- Windows 10 v21H2
- Windows 10 v21H1
- Windows 10 v20H2
- Windows 10 v2004
- Windows 10 v1909
- Windows 10 v1903
- Windows 10 v1809
- Windows 10 v1803
- Windows 7
- Windows Server 2008 R2
As no official patch has been released, these patches are available completely free of charge. 0patch explains now to use them:
These micropatches have already been distributed to all online 0patch Agents. If you’re new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com. Everything else will happen automatically. No computer reboot will be needed.
The company has also shared a video showing how its patch works: