Published: May 31, 2022
Microsoft has acknowledged a new zero-day remote code execution flaw in its Microsoft Support Diagnostic Tool (MSDT). The Microsoft Security Response Center team explained that the security flaw impacts all supported versions of Windows and Windows Server.
Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8.1/7 and Windows Server. The tool enables the Microsoft support representatives to analyze diagnostic data and find a resolution for the problems experienced by users.
Tracked as CVE-2022-30190, security researcher Kevin Beaumont first discovered and reported the vulnerability dubbed “Follina” to Microsoft on April 12. The flaw abuses an Office feature to retrieve a hypertext markup language (HTML) file, which then uses MSDT to execute a snippet of PowerShell code. Beaumont and other security researchers confirmed that they were able to exploit the vulnerability on Office 2021, Office 2019, Office 2016, and Office 2013.
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” The MSRC Team explained.
Microsoft noted that the zero-day vulnerability is being actively exploited by threat actors. The company is working on a permanent fix, and it has outlined steps for disabling the MSDT URL protocol via Command Prompt.
Microsoft has also provided some instructions to help users revert this change if needed. The Microsoft Security Response Center team advises Microsoft Defender users to enable cloud-delivered protection and automatic sample submission capabilities. Furthermore, enterprise customers can configure attack surface reduction rules in Microsoft Defender for Endpoint to prevent Office apps from creating child processes.