Windows Support Diagnostic Tool vulnerability allows hackers to take over a computer

Windows Support Diagnostic Tool vulnerability allows hackers to take over a computer

Posted on

An officially confirmed vulnerability in Microsoft Corp.’s Windows Support Diagnostic Tool can allow hackers to run remote code and take over a targeted Windows computer.

CVE-2022-30190 in MSDT was first reported by Nao Sec and then further detailed by security researcher Kevin Beaumont, who dubbed it “Follina.” The vulnerability primarily relates to Office but also spills into a core Windows function.

The vulnerability, in this case, allows hackers to target Windows users via malicious Word documents. The malicious Word document uses the remote template feature to fetch an HTML file from a remote server. The download exploits the Microsoft Support Diagnostic Tool protocol scheme to download additional code and execute malicious PowerShell code.

Microsoft Word documents with dubious code are not new, but where this gets interesting is exploiting a previously unknown vulnerability in MSDT. Microsoft has also confirmed the vulnerability.

In a blog post, the Microsoft Security Response Center describes the issue as a remote code execution vulnerability when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.

Microsoft’s security team adds that the attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.

The immediate workaround is to disable the MSDT URL protocol. This involves running Command Prompt as an Administrator and executing the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”

Microsoft also recommends that users of Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic sample submission.

“Microsoft Office products present threat actors with an attractive attack surface as employees are constantly working with various documents as part of their job responsibilities,” Anton Ovrutsky, adversarial collaboration engineer at information security consulting firm Lares LLC, told SiliconANGLE. “Although Microsoft has implemented several hardening changes – including disabling macro functionality by default in the latest Office versions – this recent zero-day demonstrates not only the large attack surface found in Office but also the need to properly harden and monitor Office applications on the endpoint level, from a detection and response standpoint.

Mike Parkin, senior technical engineer at cyber risk management company Vulcan Cyber Ltd., noted that Word and other MS Office documents have been a popular attack vector for a long time.

“Office macros have been a tried-and-true attack vector for years, which is why ‘never trust unsolicited office documents’ is a thing,” Parkin explained. “Macros in office documents lent them great flexibility, but they were also easy for attackers to abuse.”

Alex Ondrick, director of security operations at digital forensics and incident response firm BreachQuest Inc. noted that attackers use a wide variety of custom scripts, copied code and social engineering attacks to convince users to interact with their phishing email, but then it gets interesting.

“Microsoft’s handling is concerning, but not surprising – Microsoft seems to be aware that ms-MSDT has a large attack surface and affects a large volume of its customers,” Ondrick said. “Given the historical context of it, I’d imagine that Microsoft is diligently working to get this zero-day under control.”


Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *