Microsoft Acknowledges Office Zero-Day Flaw Affecting Windows Diagnostic Tool
Microsoft has acknowledged a new zero-day remote code execution flaw in its Microsoft Support Diagnostic Tool (MSDT). The Microsoft Security Response Center team explained that the security flaw impacts all supported versions of Windows and Windows Server.
Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8.1/7 and Windows Server. The tool enables the Microsoft support representatives to analyze diagnostic data and find a resolution for the problems experienced by users.
Tracked as CVE-2022-30190, security researcher Kevin Beaumont first discovered and reported the vulnerability dubbed “Follina” to Microsoft on April 12. The flaw abuses an Office feature to retrieve a hypertext markup language (HTML) file, which then uses MSDT to execute a snippet of PowerShell code. Beaumont and other security researchers confirmed that they were able to exploit the vulnerability on Office 2021, Office 2019, Office 2016, and Office 2013.
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” The MSRC Team explained.
Microsoft provides a workaround to fix the RCE flaw in MSDT
Microsoft noted that the zero-day vulnerability is being actively exploited by threat actors. The company is working on a permanent fix, and it has outlined steps for disabling the MSDT URL protocol via Command Prompt.
- First of all, run Command Prompt with Administrator privileges.
- Run the following command to back up the registry key: “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Finally, execute the command: “reg delete HKEY_CLASSES_ROOT\ms-msdt /f“.
Microsoft has also provided some instructions to help users revert this change if needed. The Microsoft Security Response Center team advises Microsoft Defender users to enable cloud-delivered protection and automatic sample submission capabilities. Furthermore, enterprise customers can configure attack surface reduction rules in Microsoft Defender for Endpoint to prevent Office apps from creating child processes.
More in Windows Server
Action1 Review – Free Cloud-Native Patch Management for Windows
Dec 5, 2022 | Michael Reinders
Latest Patch Tuesday Updates Cause Freezes, Reboots on Domain Controllers
Nov 25, 2022 | Rabia Noureen
Microsoft Releases Fix for Kerberos Authentication Issues on Domain Controllers
Nov 18, 2022 | Rabia Noureen
Microsoft Confirms Server Manager Disk Resets Could Cause Data Loss
Oct 28, 2022 | Rabia Noureen
September Patch Tuesday Updates Cause Group Policy Issues on Windows PCs
Sep 26, 2022 | Rabia Noureen
Latest Windows Server 2022 Update Improves Protection Against Ransomware Attacks
Aug 17, 2022 | Rabia Noureen
Most popular on petri