Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Microsoft Acknowledges Office Zero-Day Flaw Affecting Windows Diagnostic Tool

Microsoft has acknowledged a new zero-day remote code execution flaw in its Microsoft Support Diagnostic Tool (MSDT). The Microsoft Security Response Center team explained that the security flaw impacts all supported versions of Windows and Windows Server.

Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8.1/7 and Windows Server. The tool enables the Microsoft support representatives to analyze diagnostic data and find a resolution for the problems experienced by users.

Tracked as CVE-2022-30190, security researcher Kevin Beaumont first discovered and reported the vulnerability dubbed “Follina” to Microsoft on April 12. The flaw abuses an Office feature to retrieve a hypertext markup language (HTML) file, which then uses MSDT to execute a snippet of PowerShell code. Beaumont and other security researchers confirmed that they were able to exploit the vulnerability on Office 2021, Office 2019, Office 2016, and Office 2013.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” The MSRC Team explained.

Microsoft provides a workaround to fix the RCE flaw in MSDT

Microsoft noted that the zero-day vulnerability is being actively exploited by threat actors. The company is working on a permanent fix, and it has outlined steps for disabling the MSDT URL protocol via Command Prompt.

First of all, run Command Prompt with Administrator privileges.
Run the following command to back up the registry key: “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Finally, execute the command: “reg delete HKEY_CLASSES_ROOT\ms-msdt /f“.

Microsoft has also provided some instructions to help users revert this change if needed. The Microsoft Security Response Center team advises Microsoft Defender users to enable cloud-delivered protection and automatic sample submission capabilities. Furthermore, enterprise customers can configure attack surface reduction rules in Microsoft Defender for Endpoint to prevent Office apps from creating child processes.

by Rabia Noureen
May 31, 2022

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

What is a Roaming User Profile on Windows?

Sep 1, 2023
Oct 24, 2023
How to Add Microsoft Store Apps to Intune

May 5, 2023
Microsoft Releases May 2023 Patch Tuesday Updates for Windows 11 and Windows 10

May 9, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.