A newly discovered exploit is using a flaw in Microsoft's Support Diagnostic Tool (MSDT) to remotely take over end-points via compromised Word documents.
According to Microsoft:
"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."
- Microsoft MSDT Guidance
CVE-2022-30190 (Follina) was first disclosed to Microsoft in April 2022. Ignored at first (or at least not deemed to be a significant vulnerability, Microsoft changed its tune in late May/early June.
As of yet no patch has been released to address the vulnerability but Microsoft has issued guidance on how to address the issue (if only momentarily) until a final solution can be reached.
How to protect your end-points from Follina/CVE-2022-30190
If you're feeling technical you can, as Microsoft suggests, run a Command Prompt do the following:
Disable the MSDT URL Protocol
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to re-enable the MSDT URL Protocol (when/if applicable/necessary)
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename”
Anything Else?
Microsoft is pitching its Defender platform as a solution to CVE-2022-30190 because...of course they are. This could possibly be the first example of the company monetizing an active exploit rather than fixing it outright as it launches its own MSSP practice.*
Does that mean they won't patch the vulnerability? No, they probably will, eventually. It just might not be on top of mind if it means they can make a few bucks selling Defender for End-Points subscriptions to customers in a pinch.
* As an aside, Blackberry Protect and Cybereason both perform in a similar manner to Microsoft Defender for End-Points. If you're looking to go the software route and the idea of using a Microsoft security product makes you feel icky (and with good reason) there are alternatives on the market.
Admin: Oct 17, 2022 11:23:04 AM
Carl Keyser: Oct 3, 2022 8:00:43 PM
