Severe Vulnerability in Windows Diagnostic Tool Allows Hackers to Take Control of a Computer
An officially confirmed vulnerability in Microsoft Corp.’s Windows Support Diagnostic Tool. can allow hackers to remotely execute code and take control of a targeted Windows computer.
Known as CVE-2022-30190 in the Microsoft Support Diagnostic Tool, it has been reported for the first time May 27 by Nao Sec then more detailed May 29 by security researcher Kevin Beaumont, who nicknamed him “Follina”. The vulnerability primarily affects Office, but is also spreading to a core Windows function.
The vulnerability, in this case, allows hackers to target Windows users through malicious Word documents. The malicious Word document uses the remote template feature to retrieve an HTML file from a remote server. The download leverages the Microsoft Support Diagnostic Tool protocol scheme to download additional code and execute malicious PowerShell code.
Microsoft Word documents with dodgy code aren’t new, but where it gets interesting is that they exploit a previously unknown vulnerability in MSDT. Microsoft has also confirmed the vulnerability.
In a blog post On Monday, the Microsoft Security Response Center described the issue as a remote code execution vulnerability when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploited this vulnerability can execute arbitrary code with the privileges of the calling application.
The Microsoft security team added that the attacker can then install programs, view, modify, delete data or create new accounts within the scope permitted by the user’s rights.
The immediate workaround is to disable the MSDT URL protocol. This involves running the command prompt as administrator and running the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.
Microsoft also recommends that Microsoft Defender Antivirus users enable cloud-delivered protection and automatic sample submission.
“Microsoft Office products present threat actors with an attractive attack surface as employees constantly work with various documents as part of their job responsibilities,” Anton Ovrutsky, adversarial collaboration engineer at Microsoft Security Consulting ‘information Lares LLC, told SiliconANGLE. “While Microsoft has implemented several hardening changes – including disabling default macro functionality in the latest versions of Office – this recent zero-day not only demonstrates the large attack surface found in Office, but also the need to properly harden and monitor Office applications at the device level, from a detection and response perspective.
Mike Parkin, senior technical engineer at an IT risk management company Vulcan Cyber Ltd.noted that Word and other MS Office documents have long been a popular attack vector.
“Office macros have been a proven attack vector for years, so ‘never trust unsolicited office documents’ is one thing,” Parkin explained. “Macros in office documents gave them great flexibility, but they were also easy for attackers to exploit.”
Alex Ondrick, Director of Security Operations at Digital Forensics and Incident Response Firm BreachQuest Inc.said attackers use a wide variety of custom scripts, copied code and social engineering attacks to persuade users to interact with their phishing email.
“Microsoft’s management is concerning, but not surprising – Microsoft seems to be aware that ms-MSDT has a large attack surface and affects a large number of its customers,” Ondrick said. “Given the historical context, I imagine Microsoft is working diligently to bring this zero day under control.”