REQUEST A CONSULTATION
REQUEST A CONSULTATION
  • There are no suggestions because the search field is empty.
gray wave
Solutions | Security | 1 min read

Elevity Cybersecurity Alert: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Zero-Day Vulnerability in Windows (CVE-2022-30190)

Peter Niebler
Written by Peter Niebler
06/01/2022

Elevity would like to inform you of CVE-2022-30190, a new critical remote code execution (RCE) vulnerability affecting all versions of Windows. If you use Windows in your environment, we recommend reviewing this blog and applying the workaround provided by Microsoft for CVE-2022-30190.

Summary

On Friday, May 27, Security vendor nao_sec identified a malicious document leveraging a zero-day RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT).

The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word. By sending a specially crafted Word document that calls out to a remote URL and downloads a malicious payload, a threat actor could gain persistence and run arbitrary code with the privileges of the calling application.

Note: Successful exploitation requires one of the following conditions:

  • A malicious document (such as .doc and .docx) is opened by a targeted user and "Enable editing" is clicked.
  • A malicious .rtf document is previewed or opened by a targeted user.

Recommendations

Recommendation #1: Be on the Latest Elevity Offering
At this time, there is no patch available from Microsoft to mitigate the vulnerability, however, Elevity has seen in the wild where our EDR solution or EDR + SOC solution has detected and stopped these attacks. If you are on the Elevity offerings for EDR (SentinelOne) and/or our 4.0 offering with our SOC you are covered.


Not partnered with Elevity yet? Click here to request a
consultation to get started today!


Recommendation #2: Explore Applying Workaround Provided by Microsoft
Microsoft has provided guidance on a work around for those not in our latest offering. Early testing by Elevity have shown these registry edits to cause issues with using the Microsoft Office Suite so we will not be pushing these automatically unless you have an internal IT team and are confident in your ability to perform these changes.

Note: We recommend following change management best practices for testing the workaround in a dev environment before deploying to production systems.

Review Microsoft’s guidance here to apply the workaround to your affected system(s)

References

  1. Twitter
  2. Follina — a Microsoft Office code execution vulnerability
  3. CVE-2022-30190 Advisory
  4. CVE-2022-30190 Guidance

Practical tips & strategies

Subscribe by Email