Microsoft shares mitigation for Office zero-day exploited in attacks
Microsoft has shared mitigation measures to block attacks exploiting a newly discovered Microsoft Office zero-day flaw abused in the wild to execute malicious code remotely.
The bug is a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability.
The flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+).
As security researcher nao_sec found, it is used by threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” Microsoft explains.
“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
According to Redmond, admins and users can block attacks exploiting CVE-2022-30190 by disabling the MSDT URL protocol, which malicious actors use to launch troubleshooters and execute code on vulnerable systems.
To disable the MSDT URL protocol on a Windows device, you have to go through the following procedure:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f“
After Microsoft releases a CVE-2022-30190 patch, you can undo the workaround by launching an elevated command prompt and executing the reg import filename command (filename is the name of the registry backup created when disabling the protocol).
Microsoft Defender Antivirus 1.367.719.0 or newer now also comes with detections for possible vulnerability exploitation under the following signatures:
While Microsoft says that Microsoft Office’s Protected View and Application Guard would block CVE-2022-30190 attacks, CERT/CC vulnerability analyst Will Dormann (and other researchers) found that the security feature will not block exploitation attempts if the target previews the malicious documents in Windows Explorer.