Summary
Details of a 0-day vulnerability in Microsoft Office have been released this week.
CVE-2022-30190 (CVSS 3.1: 7.8/7.3 – High) is a remote code execution vulnerability allowing an application such as Microsoft Word to call the MSDT URL protocol with encoded payloads from remote sources, bypassing built-in Office protections, and executing arbitrary code.
The vulnerability exists even when macros are disabled and payloads can be used which avoid the Protected View feature.
The MSDT (Microsoft Support Diagnostic Tool) URL protocol invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input
Kevin Beaumont published his research into the exploitation of this vulnerability, including payload samples.
EDR solutions including Cortex XDR and Defender Antivirus have been updated with signatures to detect exploitation attempts. Rules for detection in most other toolings are also available, including URL Filtering rules in PAN-DB.
Since this is an evolving threat and no patch is available from Microsoft, our immediate advice is to following Microsoft’s workaround to disable the MSDT URL protocol.
Workarounds
Disabling MSDT URL protocol prevents troubleshooters being launched as links, including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
– Run Command Prompt as Administrator.
– To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”
– Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround:
– Run Command Prompt as Administrator.
– To restore the registry key, execute the command “reg import filename“