Microsoft has released mitigation techniques to prevent attacks that make use of a newly disclosed Office zero-day weakness that has been leveraged in the wild to remotely execute malicious code.
The flaw is a remote code execution vulnerability in the MS Windows Support Diagnostic Tool (MSDT).
Microsoft has assigned it the number CVE-2022-30190. The issue affects all Windows versions (Windows 7+ and Server 2008+) that are still getting security patches.
Microsoft Has Released Protection For An Office Zero-Day Vulnerability
Threat actors utilize it to execute malicious PowerShell instructions through MSDT in what Redmond calls Arbitrary Code Execution (ACE) attacks when reading or previewing Word documents, according to security researcher nao sec. According to the tech giant, “a successful exploit of this vulnerability allows an attacker to run arbitrary code with the privileges of the caller program.”
“In the context permitted by the user’s permissions, the attacker can then install applications, read, alter, or remove data, or establish new accounts.” Admins and users may prevent CVE-2022-30190 attacks by blocking the MSDT URL protocol, which bad actors employ to start troubleshooters and execute code on vulnerable computers, according to Redmond. You may reverse the workaround by establishing an elevated command prompt and running the reg import ms-msdt.reg command when Microsoft releases a CVE-2022-30190 fix.
MS Defender Antivirus 1.367.719.0 and later now includes detections for potential vulnerability exploitation. While Microsoft claims that Protected View and Application Guard in Microsoft Office will prevent CVE-2022-30190 attacks, CERT/CC vulnerability analyst Will Dormann (and others) discovered that the security feature will not prevent exploitation attempts if the aim previews the malevolent documents in Windows Explorer. As a result, disabling the Preview window in Windows Explorer is also recommended to eliminate this attack vector.
Microsoft first labeled the zero-day bug as not a “security-related problem” by the researchers who first discovered and reported it in April. Despite this, the vulnerability submission report was later closed with a remote code execution impact.
Invitations to Sputnik Radio interviews and sextortion threats were used as lures in the initial assaults leveraging this zero-day flaw, which began over a month ago.