{"id":98419,"date":"2022-06-03T10:31:47","date_gmt":"2022-06-03T01:31:47","guid":{"rendered":"https:\/\/softantenna.com\/blog\/?p=98419"},"modified":"2022-06-03T10:31:47","modified_gmt":"2022-06-03T01:31:47","slug":"0patch-provide-free-fix-for-follina-vulnerability","status":"publish","type":"post","link":"https:\/\/softantenna.com\/blog\/0patch-provide-free-fix-for-follina-vulnerability\/","title":{"rendered":"0patch\u3001Microsoft\u306b\u304b\u308f\u308aWindows\u306e\u300cFollina\u300d\u8106\u5f31\u6027\u306b\u5bfe\u3059\u308b\u7121\u511f\u30d1\u30c3\u30c1\u3092\u63d0\u4f9b"},"content":{"rendered":"<p><img decoding=\"async\" style=\"display:block; margin-left:auto; margin-right:auto;\" src=\"https:\/\/softantenna.com\/blog\/wp-content\/uploads\/2022\/06\/0patch.jpeg\" alt=\"0patch\" title=\"0patch.jpeg\" border=\"0\" width=\"1024\" height=\"512\" \/><\/p>\n<p>\u4eca\u9031\u3001\u88ab\u5bb3\u3092\u53d7\u3051\u305fWindows PC\u4e0a\u3067\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u53ef\u80fd\u3068\u3059\u308b\u30bc\u30ed\u30c7\u30a4\u8106\u5f31\u6027\u300c<a href=\"https:\/\/softantenna.com\/blog\/microsoft-still-not-fixed-actively-exploited-vulnerability\/\">Follina<\/a>\u300d\u304c\u767a\u898b\u3055\u308c\u6ce8\u76ee\u3092\u96c6\u3081\u3066\u3044\u307e\u3059\u3002Microsoft\u306f\u60aa\u7528\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u308b\u3053\u306e\u8106\u5f31\u6027\u306b\u5bfe\u3059\u308b\u30d1\u30c3\u30c1\u3092\u307e\u3060\u767a\u884c\u3057\u3066\u304a\u3089\u305a\u3001\u56de\u907f\u7b56\u3092\u63d0\u4f9b\u3057\u3066\u3044\u308b\u3060\u3051\u3067\u3059\u304c\u3001\u30b5\u30fc\u30c9\u30d1\u30fc\u30c6\u30a3\u4f01\u696d0patch\u304c\u7121\u6599\u306e\u4fee\u6b63\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30ea\u30ea\u30fc\u30b9\u3057\u305f\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f(<a href=\"https:\/\/betanews.com\/2022\/06\/02\/0patch-releases-free-fix-for-follina-vulnerability-in-windows-as-microsoft-apparently-cant-be-bothered\/\">BetaNews<\/a>)\u3002<\/p>\n<p>0patch\u304c\u516c\u958b\u3057\u305f\u4fee\u6b63\u30d7\u30ed\u30b0\u30e9\u30e0\u306f\u3001Windows 11\u3001Windows 10\u3001Windows 7\u3001Windows Server 2008 R2\u5411\u3051\u306e\u3082\u306e\u3067\u3001\u4ee5\u4e0b\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u5bfe\u8c61\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>Windows 11 v21H2<\/li>\n<li>Windows 10 v21H2<\/li>\n<li>Windows 10 v21H1<\/li>\n<li>Windows 10 v20H2<\/li>\n<li>Windows 10 v2004<\/li>\n<li>Windows 10 v1909<\/li>\n<li>Windows 10 v1903<\/li>\n<li>Windows 10 v1809<\/li>\n<li>Windows 10 v1803<\/li>\n<li>Windows 7<\/li>\n<li>Windows Server 2008 R2<\/li>\n<\/ul>\n<p>\u3053\u308c\u3089\u306e\u30de\u30a4\u30af\u30ed\u30d1\u30c3\u30c1\u306f\u3001\u30aa\u30f3\u30e9\u30a4\u30f3\u306e0patch agent\u306b\u63d0\u4f9b\u3055\u308c\u3066\u304a\u308a\u30010patch Central\u3067\u7121\u6599\u306e\u30a2\u30ab\u30a6\u30f3\u30c8\u3092\u4f5c\u6210\u3057\u30010patch.com\u304b\u30890patch Agent\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u767b\u9332\u3059\u308b\u3053\u3068\u3067\u5229\u7528\u53ef\u80fd\u3067\u3059\u3002\u3042\u3068\u306f\u5168\u3066\u81ea\u52d5\u7684\u306b\u884c\u308f\u308c\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30fc\u306e\u518d\u8d77\u52d5\u306f\u5fc5\u8981\u306a\u3044\u3068\u306e\u3053\u3068\u3002<\/p>\n<p><iframe width=\"680\" height=\"383\" src=\"https:\/\/www.youtube.com\/embed\/Og9Q6UotMgA\" frameborder=\"0\" allowfullscreen><\/iframe><\/p>\n<p>0patch\u306f\u3001\u554f\u984c\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u5358\u306b\u7121\u52b9\u3059\u308bMicrosoft\u306e\u56de\u907f\u7b56\u3088\u308a\u3082\u3001\u3055\u3089\u306b\u5de7\u5999\u306f\u30a2\u30d7\u30ed\u30fc\u30c1\u3092\u63a1\u7528\u3057\u3001\u30b7\u30b9\u30c6\u30e0\u306b\u5bfe\u3059\u308b\u5f71\u97ff\u304c\u6700\u5c0f\u9650\u306b\u53ce\u307e\u308b\u3088\u3046\u8003\u616e\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<blockquote><p>It would be by far the simplest for us to just disable msdt.exe by patching it with a TerminateProcess() call. However, that would render Windows diagnostic wizardry inoperable, even for non-Office applications. Another option was to codify Microsoft's recommendation into a patch, effectively disabling the ms-msdt: URL protocol handler.<\/p>\n<p>msdt.exe\u3092TerminateProcess()\u30b3\u30fc\u30eb\u3067\u30d1\u30c3\u30c1\u3057\u3066\u7121\u52b9\u306b\u3059\u308b\u306e\u306f\u3001\u79c1\u305f\u3061\u306b\u3068\u3063\u3066\u5727\u5012\u7684\u306b\u30b7\u30f3\u30d7\u30eb\u306a\u65b9\u6cd5\u3067\u3057\u3087\u3046\u3002\u3057\u304b\u3057\u3001\u305d\u3046\u3059\u308b\u3068Windows\u306e\u8a3a\u65ad\u30a6\u30a3\u30b6\u30fc\u30c9\u304c\u3001Office\u4ee5\u5916\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u3082\u4f7f\u3048\u306a\u304f\u306a\u308a\u307e\u3059\u3002\u307e\u305f\u3001Microsoft\u306e\u63a8\u5968\u4e8b\u9805\u3092\u30d1\u30c3\u30c1\u3068\u3057\u3066\u307e\u3068\u3081\u3001ms-msdt:URL\u30d7\u30ed\u30c8\u30b3\u30eb\u30cf\u30f3\u30c9\u30e9\u3092\u52b9\u679c\u7684\u306b\u7121\u52b9\u5316\u3059\u308b\u65b9\u6cd5\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>But when possible, we want to minimize our impact outside of removing the vulnerability, so we decided to place our patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a \"$(\" sequence - which is necessary for injecting a PowerShell subexpression. If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running.<\/p>\n<p>\u3057\u304b\u3057\u3001\u53ef\u80fd\u306a\u9650\u308a\u3001\u8106\u5f31\u6027\u3092\u9664\u53bb\u3059\u308b\u4ee5\u5916\u306e\u5f71\u97ff\u3092\u6700\u5c0f\u9650\u306b\u6291\u3048\u305f\u3044\u306e\u3067\u3001\u79c1\u305f\u3061\u306f\u3001RunScript\u547c\u3073\u51fa\u3057\u306e\u524d\u306bsdiagnhost.exe\u306b\u30d1\u30c3\u30c1\u3092\u914d\u7f6e\u3057\u3001\u30e6\u30fc\u30b6\u30fc\u304c\u63d0\u4f9b\u3059\u308b\u30d1\u30b9\u306b\u300c$()\u300d\u30b7\u30fc\u30b1\u30f3\u30b9\uff08PowerShell\u30b5\u30d6\u5f0f\u306e\u6ce8\u5165\u306b\u5fc5\u8981\uff09\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3053\u3068\u306b\u6c7a\u3081\u307e\u3057\u305f\u3002\u3053\u308c\u304c\u691c\u51fa\u3055\u308c\u305f\u5834\u5408\u3001RunScript\u306e\u547c\u3073\u51fa\u3057\u304c\u30d0\u30a4\u30d1\u30b9\u3055\u308c\u3001Diagnostic Tool\u304c\u5b9f\u884c\u3055\u308c\u7d9a\u3051\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<\/blockquote>\n<p>\u30d1\u30c3\u30c1\u306e\u8a73\u7d30\u306f<a href=\"https:\/\/blog.0patch.com\/2022\/06\/free-micropatches-for-follina-microsoft.html\">\u516c\u5f0f\u30d6\u30ed\u30b0<\/a>\u3067\u78ba\u8a8d\u53ef\u80fd\u3067\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4eca\u9031\u3001\u88ab\u5bb3\u3092\u53d7\u3051\u305fWindows PC\u4e0a\u3067\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u53ef\u80fd\u3068\u3059\u308b\u30bc\u30ed\u30c7\u30a4\u8106\u5f31\u6027\u300cFollina\u300d\u304c\u767a\u898b\u3055\u308c\u6ce8\u76ee\u3092\u96c6\u3081\u3066\u3044\u307e\u3059\u3002Microsoft\u306f\u60aa\u7528\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u308b\u3053\u306e\u8106\u5f31\u6027\u306b\u5bfe\u3059\u308b\u30d1\u30c3\u30c1\u3092\u307e\u3060\u767a\u884c\u3057\u3066\u304a\u3089\u305a\u3001 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":98420,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"swell_btn_cv_data":"","footnotes":""},"categories":[3],"tags":[4441,3298],"class_list":["post-98419","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows","tag-0patch","tag-windows"],"_links":{"self":[{"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/posts\/98419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/comments?post=98419"}],"version-history":[{"count":0,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/posts\/98419\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/media\/98420"}],"wp:attachment":[{"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/media?parent=98419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/categories?post=98419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/softantenna.com\/blog\/wp-json\/wp\/v2\/tags?post=98419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}