Microsoft has detected a zero-day vulnerability in Windows.
Hackers have been taking advantage of a zero-day hole in a Windows utility that hackers have been attacking through malicious Word documents. However, Microsoft has provided administrators with a solution that will safeguard their networks against the flaw temporarily.
According to ZDNet, security analysts discovered the zero-day vulnerability over the weekend of a malicious Word document that had been posted to VirusTotal, which is owned and operated by Google, on May 25 from an IP address located in Belarus.
Exploit on Microsoft's Search Windows
Microsoft's Windows vulnerability has been tracked as CVE-2022-30190, according to Bleeping Computer. Yesterday, May 30, the company published a security advisory regarding a vulnerability in Windows that affected the Microsoft Support Diagnostic Tool (MSDT).
Microsoft has confirmed that its MSDT contains a new zero-day weakness that could allow remote code execution to be implemented in a user's system. According to the Microsoft Security Response Center, this vulnerability affects all products of Windows and Windows Server.
To those who are not familiar, MSDT is a service offered by the company that is available on Windows Server, Windows 11, Windows 10, Windows 8.1, and Windows 7. This platform allows Microsoft representatives to analyze diagnostic data and help resolve the problems that their customers are experiencing.
When MSDT is called from a calling program employing the URL protocol, such as Word, there is a vulnerability that allows for the remote execution of code. If a malicious actor exploits this vulnerability, this actor can have the ability to run arbitrary code with the permissions of the program that is called it. This can also mean that they can control a user's account, install applications, read, alter, or remove data, or establish new accounts within the context allowed by the user's rights.
The Microsoft Security Response Center (MSRC) has provided its description of the "MSDT in Windows vulnerability" and detailed remedies, as well as updated Defender with signatures for the attack. However, despite the mitigation and detection, it is important to note that there is not a patch just yet.
Microsoft's Recommendation
In this situation, actors are misusing a malicious Word document to take advantage of diagnosing Windows problems. With that, Microsoft advises that this protocol be disabled. To disable it, here are the following steps to do so:
First, start the Command Prompt as the Administrator.
Second, execute the command "reg export HKEY CLASSES ROOTms-msdt filename" in order to create a backup of the registry key.
Lastly, carry out the action of "reg remove HKEY CLASSES ROOTms-msdt /f" on the command prompt.
Microsoft also provided a way to undo the workaround:
Just start by launching the Command Prompt as the Administrator.
Then run the "reg import filename" command in order to successfully restore the registry key.
According to Microsoft, customers are recommended to turn on their cloud-delivered protection and automatic sample submission. Doing so would protect users from further damage since it would be able to quickly spot and stop any threats with the use of AI and machine learning.
The company also stated that the BlockOfficeCreateProcessRule stops Office programs from spawning child processes for Microsoft Defender for Endpoint customers.
In addition, Microsoft Defender Antivirus works perfectly fine, it detects and protects against the following vulnerability exploits using detection build 1.367.851.0 or higher:
Trojan:Win32/Mesdetty.A (blocks msdt command line)
Trojan:Win32/Mesdetty.B (blocks msdt command line)
Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)