An officially confirmed vulnerability in Microsoft Corp.’s Windows Support Diagnostic Tool can allow hackers to run remote code and take over a targeted Windows computer.
Known as CVE-2022-30190 in the Microsoft Support Diagnostic Tool, it was first reported May 27 by Nao Sec and then further detailed May 29 by security researcher Kevin Beaumont, who dubbed it “Follina.” The vulnerability primarily relates to Office but also spills into a core Windows function.
The vulnerability, in this case, allows hackers to target Windows users via malicious Word documents. The malicious Word document uses the remote template feature to fetch an HTML file from a remote server. The download exploits the Microsoft Support Diagnostic Tool protocol scheme to download additional code and execute malicious PowerShell code.
Microsoft Word documents with dubious code are not new, but where this gets interesting is that it exploits a previously unknown vulnerability in MSDT. Microsoft has also confirmed the vulnerability.
In a blog post Monday, the Microsoft Security Response Center describes the issue as a remote code execution vulnerability when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.
Microsoft’s security team added that the attacker can then install programs, view, change, delete data or create new accounts in the context allowed by the user’s rights.
The immediate workaround is to disable the MSDT URL protocol. This involves running Command Prompt as an Administrator and executing the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f” .
Microsoft also recommends that users of Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission.
“Microsoft Office products present threat actors with an attractive attack surface as employees are constantly working with various documents as part of their job responsibilities,” Anton Ovrutsky, adversarial collaboration engineer at information security consulting firm Lares LLC, told SiliconANGLE. “Although Microsoft has implemented several hardening changes — including disabling macro functionality by default in the latest Office versions — this recent zero-day demonstrates not only the large attack surface found in Office but also the need to properly harden and monitor Office applications on the endpoint level, from a detection and response standpoint.
Mike Parkin, senior technical engineer at cyber risk management company Vulcan Cyber Ltd., noted that Word and other MS Office documents have been a popular attack vector for a long time.
“Office macros have been a tried-and-true attack vector for years, which is why ‘never trust unsolicited office documents’ is a thing,” Parkin explained. “Macros in office documents lent them great flexibility, but they were also easy for attackers to abuse.”
Alex Ondrick, director of security operations at digital forensics and incident response firm BreachQuest Inc., said attackers use a wide variety of custom scripts, copied code and social engineering attacks to persuade users to interact with their phishing email.
“Microsoft’s handling is concerning, but not surprising — Microsoft seems to be aware that ms-MSDT has a large attack surface and affects a large volume of its customers,” Ondrick said. “Given the historical context of it, I’d imagine that Microsoft is diligently working to get this zero-day under control.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.