Microsoft Acknowledges Office Zero-Day Flaw Affecting Windows Diagnostic Tool

Microsoft has acknowledged a new zero-day remote code execution flaw in its Microsoft Support Diagnostic Tool (MSDT). The Microsoft Security Response Center team explained that the security flaw impacts all supported versions of Windows and Windows Server.

Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8.1/7 and Windows Server. The tool enables the Microsoft support representatives to analyze diagnostic data and find a resolution for the problems experienced by users.

Tracked as CVE-2022-30190, security researcher Kevin Beaumont first discovered and reported the vulnerability dubbed “Follina” to Microsoft on April 12. The flaw abuses an Office feature to retrieve a hypertext markup language (HTML) file, which then uses MSDT to execute a snippet of PowerShell code. Beaumont and other security researchers confirmed that they were able to exploit the vulnerability on Office 2021, Office 2019, Office 2016, and Office 2013.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” The MSRC Team explained.

Microsoft provides a workaround to fix the RCE flaw in MSDT

Microsoft noted that the zero-day vulnerability is being actively exploited by threat actors. The company is working on a permanent fix, and it has outlined steps for disabling the MSDT URL protocol via Command Prompt.

1. First of all, run Command Prompt with Administrator privileges.
2. Run the following command to back up the registry key: “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3. Finally, execute the command: “reg delete HKEY_CLASSES_ROOT\ms-msdt /f“.

Microsoft has also provided some instructions to help users revert this change if needed. The Microsoft Security Response Center team advises Microsoft Defender users to enable cloud-delivered protection and automatic sample submission capabilities. Furthermore, enterprise customers can configure attack surface reduction rules in Microsoft Defender for Endpoint to prevent Office apps from creating child processes.