Microsoft is urging administrators to apply a workaround for a remote code execution vulnerability in Microsoft Support Diagnostic Tool (MSDT) that exists when the tool is called using the URL protocol from a calling application such as Microsoft Word.
According to Microsoft, attackers who successfully exploit the bug, tracked as CVE-2022-30190, can run arbitrary code with the privileges of the calling application, and install programs, view change or delete data, or create new accounts in the context allowed by the user’s rights.
The bug is being exploited in the wild, security researchers say, and Microsoft confirms. The vulnerability appears to affect all supported versions of Windows.
Microsoft has yet to release a patch, so admins should apply recommended workarounds quickly now that the bug is public. The company recommends disabling the MSDT URL Protocol to prevent troubleshooters from being launched as links including links throughout the operating system, but troubleshooters can still be accessed using the Get Help application and in system settings.
Per Microsoft, this is how to do so:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
- Run Command Promptas Administrator.
- To back up the registry key, execute the command “reg import filename”
In addition, Microsoft says Protected View or Application Guard for Office can both prevent the attack if the calling application is a Microsoft Office application.
In addition, customers with Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic sample submission to identity and stop new and unknown threats, Microsoft says.
Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:
- Trojan:Win32/Mesdetty.A
- Trojan:Win32/Mesdetty.B
- Behavior:Win32/MesdettyLaunch.A
- Behavior:Win32/MesdettyLaunch.B
- Behavior:Win32/MesdettyLaunch.C
Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:
- Suspicious behavior by an Office application
- Suspicious behavior by Msdt.exe
Microsoft Defender for Endpoint customers can also enable attack surface reduction rule “BlockOfficeCreateProcessRule” to blocks Office apps from creating child processes.
Leave a Reply