Jun 01, 2022 Jason Keogh

Mitigate the Follina vulnerability in milliseconds with 1E Tachyon

Zero-day exploits that can run without requiring elevated privileges which do not have available patches out quickly, and which allow the bad actor to install software and make other arbitrary changes to devices, are about as bad as they come.
Mitigate the Follina vulnerability in milliseconds with 1E Tachyon

“Follina,”as reported in Techcrunch and elsewhere ticks all the wrong boxes and impacts 41 Microsoft products including Windows 11 and Office 365. Huntress research even identified a way to have this execute without the user even having to CLICK anything (hovering over the icon can trigger the exploit!).

The good news is that although there is no official patch – Microsoft have issued an advisory which includes information on a registry key you can delete, to mitigate the risk.

The better news is that, if you are a 1E Tachyon customer, you can implement that advice with ease, on any/all of your devices, immediately.

Download this instruction:

1E Tachyon instruction for Follina
Backup and delete MSDT registry hive HKEY_CLASSES_ROOT\ms-msdt

That’s it. Problem solved. Risk averted.

The instruction follows the exact Microsoft advice, running a command to back up the reg keys first – so they can be imported later. Another option allows you to restore the same keys if desired.

This was written in minutes with TIMS (Tachyon Instruction Management Studio), using the Tachyon Method NativeServices.RunCommand() and the in-built Registry functions.

This Follina attack is an example of one of many “Living off the land” type exploits which uses PowerShell or other “on-box” tools to perform nefarious tasks for the attacker.

Even without this specific instruction, you could use the existing instructions to delete a named Registry Key if immediate response is required.

With 1E Tachyon you can apply the fix to all endpoints in milliseconds and then move on with your day.