Follina and other Microsoft Zero-Day Responses

The ever-increasing Microsoft 0-day vulnerabilities alone will leave you sleepless at night. Why wouldn't threat actors target Microsoft? According to their blog, over 1 billion active devices are running Windows 10 alone globally. This astonishing number should be very eye-opening for any small to medium-sized business running Windows operating systems. You have to ask yourself, "are you doing everything in your power to protect your digital assets from modern-day attacks? The answer is probably no, as most small/medium-sized companies do not have the bandwidth or resources to perform threat hunting and ongoing patching exercises actively. Let us first dig into a few of the most critical Zero-day attacks vulnerabilities from this year; then, we can touch on ways you can proactively prevent or mitigate these faster in your virtual desktop environment.

CVE-2022-26809

Remote code execution in the RPC runtime affected many Windows versions. The ultimate exploit was when an attacker would send a crafted RPC packet to the host, allowing the attacker to perform remote code execution on that server with the same permissions of the RPC service. One of the mitigations was to block 445 at the perimeter firewall, but this only protected half of the problem. Anyone that was already in your network could still exploit the vulnerability. The primary mitigation was implementing a true allow list to only open what was needed on all ports as RPC could be accessed on several other standard ports (135, 80, 445, etc.).

CVE-2022-30190

Dubbed Follina, this vulnerability allowed an attacker to abuse the MSDT (Microsoft Windows Support diagnostic tools) to establish remote code execution and run arbitrary code execution out of word documents. This attack was widely successful due to the nature of Microsoft products used and how easy it was for attackers to exploit. The primary workaround that was released was to disable the MSDT protocol that would prevent threat actors from being able to launch malicious troubleshooting prompts on the victim's machines. Microsoft also explains that this disablement of MSDT is only temporary to prevent the attack while they work out creating a future patch.

What can I do?

So both of these vulnerabilities sound terrifying. You may be asking yourself, "what can I do to stay on top of zero-days in the future?" the answer may not be as far-fetched as you think. TetherView's virtual desktop services are specifically crafted to stay ahead of the security landscape. They have a team of researchers who constantly monitor these types of vulnerabilities and automatically apply these workarounds as soon as possible. More likely than not, your team probably did not even hear about the Follina exploit until after the long memorial day weekend. This gave attackers the whole weekend to potentially exploit your systems without you potentially knowing about it. The professionals at TetherView approach every Zero-day with a "assume the worst" mindset to ensure proper measures are taken quickly.

On top of having a world-class monitoring service, TetherView also offers a consistent backbone architecture to help ensure any new virtual desktops deployed into your network all line up with the same technology and versioning required for security and compliance. Lastly, TetherView takes a "multiple parameter" approach to security, with the mindset of creating additional layers for security throughout your virtual desktop architecture. Having these layers in place creates more frustration and steps for malicious actors to get through to locate and exfiltrate your crown jewels effectively.