top of page
Writer's pictureInception Security

Microsoft Office - Arbitrary Code Execution

We have recently observed threat actors evolving their procedures in light of Microsoft disabling macros by default in office documents. This new technique would allow threat actors to continue to bypass security controls to infect one or more hosts in an environment. In light of the latest Microsoft Office vulnerabilities, we will likely see broad adoption of macro-less infected documents that will lead to many organizations getting hacked. While Microsoft has shared mitigation steps to block attacks exploiting a newly identified Microsoft Office zero-day vulnerability that is currently being abused in the wild to execute malicious code remotely. The bug is a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). Microsoft is now tracking it as CVE-2022-30190. The flaw impacts all Windows versions of Windows still receiving security updates (Windows 7+ and Server 2008+). Security researchers have found that threat actors use it to execute malicious PowerShell commands via MSDT in what Microsoft describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents.

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,"

Microsoft explains in a statement.

"The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights."

Microsoft continues to explain the capabilities the attacker would gain using the vulnerability.



According to Microsoft, administrators and users can block attacks exploiting CVE-2022-30190 by disabling the MSDT URL protocol, which malicious actors use to launch troubleshooters and execute code on vulnerable systems.


To disable the MSDT URL protocol on a Windows device, you have to go through the following procedure:

  1. Run Command Prompt as Administrator.

  2. To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt.reg"

  3. Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f"

After Microsoft releases a CVE-2022-30190 patch, you can undo the workaround by launching an elevated command prompt and executing the reg import ms-msdt.reg command (filename is the name of the registry backup created when disabling the protocol).


Microsoft Defender Antivirus 1.367.719.0 or newer now also comes with detections for possible vulnerability exploitation under the following signatures:

  • Trojan:Win32/Mesdetty.A

  • Trojan:Win32/Mesdetty.B

  • Behavior:Win32/MesdettyLaunch.A

  • Behavior:Win32/MesdettyLaunch.B

  • Behavior:Win32/MesdettyLaunch.C

While Microsoft says that Microsoft Office's Protected View and Application Guard would block CVE-2022-30190 attacks, CERT/CC vulnerability analyst Will Dormann (and other researchers) found that the security feature will not block exploitation attempts if the target previews the malicious documents in Windows Explorer.


Office documents are not the only files being targeted. There was evidence of .RTF files being used to trigger the execution of the malicious code via the preview pane within Windows Explorer. Therefore, it is also advised to disable the Preview pane in Windows Explorer to also remove this attack vector.

"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer. Much like CVE-2021-40444, this extends the severity of this threat by not just 'single-click' to exploit, but potentially with a 'zero-click' trigger."

Huntress Labs' John Hammond said.


We are here to help!


Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, and small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.


Contact Inception Security if your company is looking for advisory services.

Comments


bottom of page