Microsoft confirms a remote code execution security vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT; Msdt.exe) which serves as a troubleshooting tool for bugs in Windows. It exists when MSDT is called using the URL protocol from an application like Word.
” An attacker who successfully exploited this vulnerability can execute arbitrary code with the privileges of the calling application. The attacker can then install programs, view, modify or delete data, or create new accounts in the context authorized by the user’s rights “, writes Microsoft.
The vulnerability CVE-2022-30190 applies to all versions of Windows. Microsoft does not offer a patch at this time, but points to a temporary workaround to disable the MSDT URL protocol. The modification in the registry (after prior backup) is detailed in this blog post.
At the same time, Microsoft points out that if a specially crafted file is opened by an Office application, Protected View mode or Application Guard for Office help prevent an attack by preventing a payload from executing.
A 0-day and 0-click vulnerability alias Follina
Security researchers, however, argue that the vulnerability is exploitable through a document in RTF format. If desired, the payload can be fetched and executed as part of the document preview, and for example in File Explorer without an open by the user.
On May 27, a booby-trapped Word document for exploiting the vulnerability was submitted and detected on the VirusTotal platform. the CERT-FR written that when this document is opened, one of the OLE (Object Linking and Embedding) objects present in the document downloads content to an external server controlled by the attacker.
” This content exploits a vulnerability that allows malicious code to be executed via the legitimate MSDT binary, in the form of a base-64 encoded Powershell script. It should be noted that this attack works even when macros are disabled in the Office document . “
The security researcher Kevin Beaumont notes that the booby-trapped Word document originated from an IP address in Belarus. It alludes to a 0day vulnerability in Office and/or Windows. She is given the name Follina because the name of the booby-trapped document submitted to VirusTotal refers to 0438 (05-2022-0438.doc) which is the telephone prefix for this Italian town in the province of Treviso in Veneto.
According to Kevin Beaumont’s analysis, exploitation of the vulnerability dates back to April in attacks against targets in Russia.
.
The post Beware of a Vulnerability in Unpatched Windows appeared first on Gamingsym.