Description
A new Microsoft Office zero-day vulnerability is being exploited in attacks that employ the Microsoft Diagnostic Tool (MSDT) to execute malicious PowerShell instructions merely by opening a Word document.
Summary
On Monday, May 30, 2022, Microsoft addressed a vulnerability regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows. This vulnerability is being tracked as CVE-2022-30190 and this flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+).
How it works.
When MSDT is called using the URL protocol from a calling program like Word, a remote code execution vulnerability exists. An attacker who successfully exploits this flaw can execute arbitrary code with the calling application”s privileges. In the context allowed by the user”s permissions, the attacker can then install applications, read, alter, or remove data, and create new accounts.
Workarounds
Administrators and users should disable the MSDT URL protocol. Disabling MSDT URL protocol prevents troubleshooters from being launched as links including links throughout the operating system. Malicious actors use this tool to start troubleshooters and run code on susceptible systems.
To disable the MSDT URL Protocol
Run Command Prompt as Administrator.
To back up the registry key, execute the command reg export HKEY_CLASSES_ROOTms-msdt filename
Execute the command reg delete HKEY_CLASSES_ROOTms-msdt /f
How to undo the workaround
Run Command Prompt as Administrator.
To back up the registry key, execute the command reg import filename
Microsoft Defender Antivirus 1.367.719.0 or newer now also comes with detections for vulnerability exploitation under the following signatures:
Trojan:Win32/Mesdetty.A
Trojan:Win32/Mesdetty.B
Behavior:Win32/MesdettyLaunch.A
Behavior:Win32/MesdettyLaunch.B
Behavior:Win32/MesdettyLaunch.C
Remediation
It is advised to ensure that all devices are updated with the most recent patches. For further information on this vulnerability, you can follow this URL:
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: Microsoft Office zero-day exploited in PowerShell attacks.pdf
References
Gatlan, S. (2022, May 31). Microsoft shares mitigation for Office zero-day exploited in attacks. Retrieved from BleepingComputer. https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/
Ilascu, I. (2022, May 30). New Microsoft Office zero-day used in attacks to execute PowerShell. Retrieved from BleepingComputer. https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/
M. (2022, May 30). Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability. Retrieved from Microsoft Security Response Center. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
M. (2022, May 30). Security Update Guide – Microsoft Security Response Center. Retrieved from Microsoft Security Response Center. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190