Follina patch now available but questions remain

, , , , ,

Microsoft has released a fix for the ‘Follina’ security hole in Windows which was being exploited via hacked Office documents.

We explained the Follina hack and long delay before Microsoft finally acknowledged the problem.

The security hole is in Windows or specifically the Microsoft Support Diagnostic Tool (msdt) but it’s generally spread via a hacked Word (.doc or .docx) file.

The 14 June 2022 Windows security updates address the problem.  As usual, Microsoft’s documentation is so (deliberately?) obscure that you’re entirely forgiven for not realizing it.

For example the page Microsoft links to with information about the patch doesn’t mention the Follina issue at all, not even using it’s code-name CVE-2022-30190. All the page says is their standard unhelpful sentence “Addresses security issues for your Windows operating system.”.

Questions about the patch

It’s not clear from Microsoft’s documentation what they’ve done to stop the security hole.  That’s important information for anyone who might use Microsoft Support Diagnostic Tool (msdt) or administrators who have put workarounds in place.

Worse, the page devoted to Follina. Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability still lists the workarounds without mentioning the official patches that were released almost two weeks ago.  Anyone reading that page would think that Microsoft had done nothing to fix the Windows security lapse.

Patches for all supported Windows back to Windows 7

A sign of the scope of this security lapse is the long list of necessary patches.  All supported Windows need to be updated:

  • Windows 11
  • Windows 10
  • Windows 8.1, 8, 8 RT
  • Windows 7

Both Intel 32 or 64 bit releases plus ARM versions

Also Windows Server 2022 back to 2008 R2.

What to do

Use Windows Update to get all the necessary patches.  Most likely your computer has done this automatically. To make sure, open Windows Update and force it to “Check for Updates”

Zero-day security hole in Word, Microsoft very slow to act
Zero-day Windows security bug spreads to Europe and USA