Over the weekend, a serious vulnerability
(CVE-2022-30190) was discovered.
Microsoft released guidance for the vulnerability, saying the following.
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Although Microsoft has not released a patch for the vulnerability it has however released a workaround disabling MSDT.
Recommended workaround:
- “Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
This vulnerability is particularly malicious. It can have damaging effects through something as simple as a person opening a Word document, according to Microsoft an attacker could,
“install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights”.
It is important to note that this vulnerability is being investigated and the workaround from Microsoft hasn’t been confirmed by researchers.
For a technical review of this vulnerability we highly recommend a report by Huntress Labs
The important facts about this vulnerability are as follows:
- Confirmed to being actively exploited since at least April this year
- Workaround in place although it’s effectiveness unconfirmed
We will keep an eye on how this vulnerability develops and update this post.