Microsoft has shared mitigation measures to block attacks exploiting a newly discovered Microsoft Office zero-day flaw abused in the wild to execute malicious code remotely.
Microsoft is now tracking it as CVE-2022-30190. The flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+).
As security researcher nao_sec found, it is used by threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” Microsoft explains.
“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
According to Redmond, admins and users can block attacks exploiting CVE-2022-30190 by disabling the MSDT URL protocol, which malicious actors use to launch troubleshooters and execute code on vulnerable systems.
To disable the MSDT URL protocol on a Windows device, you have to go through the following procedure:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f“
After Microsoft releases a CVE-2022-30190 patch, you can undo the workaround by launching an elevated command prompt and executing the reg import filename command (filename is the name of the registry backup created when disabling the protocol).
Microsoft Defender Antivirus 1.367.719.0 or newer now also comes with detections for possible vulnerability exploitation under the following signatures:
While Microsoft says that Microsoft Office’s Protected View and Application Guard would block CVE-2022-30190 attacks, CERT/CC vulnerability analyst Will Dormann (and other researchers) found that the security feature will not block exploitation attempts if the target previews the malicious documents in Windows Explorer.
Therefore, it is also advised to disable the Preview pane in Windows Explorer to also remove this attack vector.
According to Shadow Chaser Group’s crazyman, the researchers who first spotted and reported the zero-day in April, Microsoft first tagged the flaw as not a “security-related issue.” Still, it later closed the vulnerability submission report with a remote code execution impact.
The first attacks exploiting this zero-day bug began over a month ago and targeted potential Russian-speaking victims with invitations to Sputnik Radio interviews.
BleepingComputer has reached out to Microsoft for more info on this vulnerability (jokingly dubbed by Follina) and to ask why it wasn’t considered a security risk. We are yet to receive a reply, but we will update the article as soon as the company shares a statement.