On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Workarounds
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename”
Microsoft Defender Detections & Protections
Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview.
Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:
- Trojan:Win32/Mesdetty.A (blocks msdt command line)
- Trojan:Win32/Mesdetty.B (blocks msdt command line)
- Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:
- Suspicious behavior by an Office application
- Suspicious behavior by Msdt.exe
FAQ
Q: Does Protected View and Application Guard for Office provide protection from this vulnerability?
A: If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.
- For information about Protected View, see What is Protected View?
- For information about Application Guard for Office, see Application Guard for Office.
We will update CVE-2022-30190 with further information.
The MSRC Team