Until now, in the overwhelming majority of cases, it was enough to have macros disabled to deal with infected Microsoft Office. However, it is not the case with Follina vulnerability that works completely different - you just need to open a text file to run a dangerous script.
In short, the way it works is that opening a Word document downloads an external HTML file that contains the instruction that executes the msdt.exe command. This is how the MSDT* system tool is launched, with which you can execute any code in PowerShell.
Unfortunately, as of today, no security patch from Microsoft is available. To protect yourself from Follina vulnerability, go to Axence nVision® in:
Users -> All Users -> Atlas Info -> Locks -> Application Blocking → and then block the msdt.exe application.
It is also advisable to create an automatic report displaying the employee's accounts on which msdt.exe was run and checking it on a regular basis. In nVision, such a report can be automatically generated and sent to the indicated e-mail address.
It is also worth considering permanently disabling PowerShell from being run by employees. Our experience shows that the vast majority of organizations do not have such a blockade, and thus, make themselves more vulnerable to potential attacks.
Here’s the way you can do that:
Users -> All Users -> About Atlas -> Locks -> Application Blocking → and then typing powershell.exe.
In this case, it's also a good idea to set up automatic reports showing which computers PowerShell is run on. If you want to find out more information about Follina vulnerability, check out our next article.
*MSDT (Microsoft Support Diagnostic Tool) is an embedded tool used by Windows to report, diagnose, and troubleshoot operating system errors.