{"id":10743,"date":"2022-06-03T15:58:47","date_gmt":"2022-06-03T12:58:47","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10743"},"modified":"2022-06-03T15:58:47","modified_gmt":"2022-06-03T12:58:47","slug":"follina-cve-2022-30190-msdt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/follina-cve-2022-30190-msdt\/10743\/","title":{"rendered":"Follina: Giri\u015f noktas\u0131 olarak Office belgeleri"},"content":{"rendered":"<p>Ara\u015ft\u0131rmac\u0131lar Microsoft \u00fcr\u00fcnlerinde potansiyel olarak sald\u0131rgan\u0131n rastgele kod y\u00fcr\u00fctmesine imkan veren ciddi bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 daha ke\u015ffetti. MITRE\u2019nin <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2022-30190\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2022-30190<\/a> olarak tan\u0131mlad\u0131\u011f\u0131 bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131na ara\u015ft\u0131rmac\u0131lar daha \u015fairane bir yakla\u015f\u0131mla Follina ad\u0131n\u0131 verdi. \u0130\u015fin en rahats\u0131z edici k\u0131sm\u0131, hen\u00fcz bu hata i\u00e7in bir \u00e7\u00f6z\u00fcm olmamas\u0131. Daha da k\u00f6t\u00fcs\u00fc, g\u00fcvenlik a\u00e7\u0131\u011f\u0131 halihaz\u0131rda siber su\u00e7lular taraf\u0131ndan aktif olarak k\u00f6t\u00fcye kullan\u0131l\u0131yor. G\u00fcncelleme yolda olsa da t\u00fcm Windows kullan\u0131c\u0131lar\u0131na ve y\u00f6neticilerine \u015fimdilik ge\u00e7ici \u00e7\u00f6z\u00fcmler kullanmalar\u0131 \u00f6neriliyor.<\/p>\n<h2>CVE-2022-30190 nedir, hangi \u00fcr\u00fcnleri etkiler?<\/h2>\n<p>CVE-2022-30190 g\u00fcvenlik a\u00e7\u0131\u011f\u0131, kula\u011fa pek \u00f6nemliymi\u015f gibi gelmeyen Microsoft Windows Destek Tan\u0131 Arac\u0131\u2019nda (MSTD) yer al\u0131yor. Ne yaz\u0131k ki bu arac\u0131n uygulanmas\u0131na ba\u011fl\u0131 olarak g\u00fcvenlik a\u00e7\u0131\u011f\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 bir MS Office dosyas\u0131 arac\u0131l\u0131\u011f\u0131yla k\u00f6t\u00fcye kullan\u0131labiliyor.<\/p>\n<p>MSDT, Windows\u2019ta bir \u015feyler yanl\u0131\u015f gitti\u011finde otomatik olarak tan\u0131 bilgisi toplay\u0131p Microsoft\u2019a g\u00f6ndermek i\u00e7in kullan\u0131lan bir uygulama. Bu ara\u00e7 di\u011fer uygulamalar taraf\u0131ndan \u00f6zel MSDT URL protokol\u00fcyle \u00e7a\u011fr\u0131labiliyor (en pop\u00fcler \u00f6rnek Microsoft Word). G\u00fcvenlik a\u00e7\u0131\u011f\u0131 ba\u015far\u0131l\u0131 \u015fekilde k\u00f6t\u00fcye kullan\u0131l\u0131rsa sald\u0131rgan, MSDT\u2019yi \u00e7a\u011f\u0131ran uygulaman\u0131n ayr\u0131cal\u0131klar\u0131yla, yani bu durumda k\u00f6t\u00fc ama\u00e7l\u0131 dosyay\u0131 a\u00e7an kullan\u0131c\u0131n\u0131n haklar\u0131yla rastgele kod y\u00fcr\u00fctebiliyor.<\/p>\n<p>CVE-2022-30190 g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hem masa\u00fcstleri hem de sunucular dahil Windows ailesindeki t\u00fcm i\u015fletim sistemlerinde k\u00f6t\u00fcye kullan\u0131labiliyor.<\/p>\n<h2>Sald\u0131rganlar CVE-2022-30190\u2019\u0131 nas\u0131l k\u00f6t\u00fcye kullan\u0131yor?<\/h2>\n<p>G\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 ke\u015ffeden ara\u015ft\u0131rmac\u0131lar, sald\u0131r\u0131 \u00f6rne\u011fi olarak \u015fu senaryoyu anlat\u0131yor: Sald\u0131rganlar k\u00f6t\u00fc ama\u00e7l\u0131 bir MS Office belgesi yarat\u0131m bunu bir \u015fekilde kurbana ula\u015ft\u0131r\u0131yorlar. Bunu yapman\u0131n en yayg\u0131n yolu, al\u0131c\u0131y\u0131 dosyay\u0131 a\u00e7maya ikna edecek \u015fekilde tasarlanm\u0131\u015f klasik bir sosyal m\u00fchendislik e-postas\u0131na k\u00f6t\u00fc ama\u00e7l\u0131 dosyay\u0131 eklemek. \u201cAcilen yar\u0131n imzalanacak s\u00f6zle\u015fmeyi kontrol et,\u201d gibi bir \u015fey i\u015f g\u00f6r\u00fcyor.<\/p>\n<p>Vir\u00fcsl\u00fc dosya, komut sat\u0131r\u0131ndaki k\u00f6t\u00fc ama\u00e7l\u0131 kodu MSDT arac\u0131l\u0131\u011f\u0131yla y\u00fcr\u00fcten JavaScript kodunu i\u00e7eren bir HTML dosyas\u0131na ba\u011flant\u0131 i\u00e7eriyor. K\u00f6t\u00fcye kullan\u0131m\u0131n ba\u015far\u0131l\u0131 olmas\u0131 durumunda sald\u0131rganlar program y\u00fckleyebiliyor, verileri g\u00f6r\u00fcnt\u00fcleyebiliyor, de\u011fi\u015ftirebiliyor ya da yok edebiliyor ve yeni hesaplar olu\u015fturabiliyor; k\u0131sacas\u0131 kurban\u0131n sistemdeki ayr\u0131cal\u0131klar\u0131yla yapabildi\u011fi her \u015feyi yapabiliyorlar.<\/p>\n<h2>Kendinizi koruman\u0131n yollar\u0131<\/h2>\n<p>Yukar\u0131da da dedi\u011fimiz gibi, hen\u00fcz bir yama yok. Microsoft bu s\u0131rada MSDT URL protokol\u00fcn\u00fc devre d\u0131\u015f\u0131 b\u0131rakmay\u0131 <a href=\"https:\/\/msrc-blog.microsoft.com\/2022\/05\/30\/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability\/\" target=\"_blank\" rel=\"noopener nofollow\">\u00f6neriyor<\/a>. Bunu yapmak i\u00e7in y\u00f6netici haklar\u0131na sahip bir komut istemi \u00e7al\u0131\u015ft\u0131rarak <code>reg delete HKEY_CLASSES_ROOT\\ms-msdt \/f<\/code> komutunu y\u00fcr\u00fctmeniz gerekiyor. Bunu yapmadan \u00f6nce <code>reg export HKEY_CLASSES_ROOT\\ms-msdt <em>filename<\/em> <\/code> komutunu y\u00fcr\u00fcterek kayd\u0131 yedeklemek iyi bir fikir. Bu sayede ge\u00e7ici \u00e7\u00f6z\u00fcme ihtiya\u00e7 kalmad\u0131\u011f\u0131nda <code>reg import <em>filename<\/em> <\/code> komutunu y\u00fcr\u00fcterek kayd\u0131 hemen geri y\u00fckleyebilirsiniz.<\/p>\n<p>Elbette bu yaln\u0131zca ge\u00e7ici bir \u00f6nlem; Follina g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 kapatan bir g\u00fcncelleme \u00e7\u0131kar \u00e7\u0131kmaz bunu y\u00fcklemelisiniz.<\/p>\n<p>Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 k\u00f6t\u00fcye kullanma y\u00f6ntemleri, tarif edildi\u011fi \u00fczere k\u00f6t\u00fc ama\u00e7l\u0131 ekleri ve sosyal m\u00fchendislik metodlar\u0131n\u0131 kullanan e-postalar\u0131 i\u00e7eriyor. Dolay\u0131s\u0131yla bilinmeyen g\u00f6ndericilerden gelen e-postalara kar\u015f\u0131 normalden de daha dikkatli olman\u0131z\u0131 \u00f6neriyoruz. \u015eirketler i\u00e7in en mant\u0131kl\u0131s\u0131, d\u00fczenli olarak en g\u00fcncel hacker hileleri hakk\u0131nda <a href=\"https:\/\/k-asap.com\/tr\/?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______&amp;utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=tr_wpplaceholder_nv0092&amp;utm_content=link&amp;utm_term=tr_kdaily_organic_avmwswubv8qh92b\" target=\"_blank\" rel=\"noopener\">Kaspersky Automated Security Awareness Platform<\/a>.<\/p>\n<p>Ayr\u0131ca internet eri\u015fimine sahip t\u00fcm cihazlar <a href=\"https:\/\/www.kaspersky.com.tr\/small-to-medium-business-security?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">dayan\u0131kl\u0131 g\u00fcvenlik \u00e7\u00f6z\u00fcmleriyle<\/a> donat\u0131lmal\u0131. Bu t\u00fcr \u00e7\u00f6z\u00fcmler, hen\u00fcz bilinmeyen bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n k\u00f6t\u00fcye kullan\u0131lmas\u0131 durumunda bile k\u00f6t\u00fc ama\u00e7l\u0131 kodun kullan\u0131c\u0131 cihaz\u0131nda y\u00fcr\u00fct\u00fclmesini \u00f6nleyebilir.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial-leadgen\">\n","protected":false},"excerpt":{"rendered":"<p>CVE-2022-30190 kodlu yeni g\u00fcvenlik a\u00e7\u0131\u011f\u0131, di\u011fer ad\u0131yla Follina, MS Office dosyalar\u0131 arac\u0131l\u0131\u011f\u0131yla Windows Destek Tan\u0131 Arac\u0131&#8217;n\u0131n k\u00f6t\u00fcye kullan\u0131m\u0131na olanak tan\u0131yor.<\/p>\n","protected":false},"author":2706,"featured_media":10744,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727,1351],"tags":[2158,790,2159,113],"class_list":{"0":"post-10743","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"category-threats","11":"tag-0-gun","12":"tag-guvenlik-aciklari","13":"tag-rce","14":"tag-windows"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/follina-cve-2022-30190-msdt\/10743\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/follina-cve-2022-30190-msdt\/24226\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/follina-cve-2022-30190-msdt\/19707\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/follina-cve-2022-30190-msdt\/9931\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/follina-cve-2022-30190-msdt\/26554\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/follina-cve-2022-30190-msdt\/24512\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/follina-cve-2022-30190-msdt\/27225\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/follina-cve-2022-30190-msdt\/26749\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/follina-cve-2022-30190-msdt\/33255\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/follina-cve-2022-30190-msdt\/44461\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/follina-cve-2022-30190-msdt\/18969\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/follina-cve-2022-30190-msdt\/19523\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/follina-cve-2022-30190-msdt\/28760\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/follina-cve-2022-30190-msdt\/28301\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/follina-cve-2022-30190-msdt\/25076\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/follina-cve-2022-30190-msdt\/30588\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/follina-cve-2022-30190-msdt\/30337\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik-aciklari\/","name":"g\u00fcvenlik a\u00e7\u0131klar\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10743"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10743\/revisions"}],"predecessor-version":[{"id":10747,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10743\/revisions\/10747"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10744"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}