Security
Headlines
HeadlinesLatestCVEs

Headline

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the … Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More »

msrc-blog
#vulnerability#mac#windows#microsoft#intel#rce

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Workarounds

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg import filename”

Microsoft Defender Detections & Protections

Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview.

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:

  • Trojan:Win32/Mesdetty.A
  • Trojan:Win32/Mesdetty.B
  • Behavior:Win32/MesdettyLaunch.A
  • Behavior:Win32/MesdettyLaunch.B
  • Behavior:Win32/MesdettyLaunch.C

Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

  • Suspicious behavior by an Office application
  • Suspicious behavior by Msdt.exe

FAQ

Q: Does Protected View and Application Guard for Office provide protection from this vulnerability?

A: If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.

  • For information about Protected View, see What is Protected View?
  • For information about Application Guard for Office, see Application Guard for Office.

We will update CVE-2022-30190 with further information.

The MSRC Team

Related news

RomCom RAT Targeting NATO and Ukraine Support Groups

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023. RomCom, also tracked under the names

Microsoft Follina Bug Is Back in Meme-Themed Cyberattacks Against Travel Orgs

A two-bit comedian is using a patched Microsoft vulnerability to attack the hospitality industry, and really laying it on thick along the way.

Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show. Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT. The

Microsoft Patch Tuesday August 2022: DogWalk, Exchange EOPs, 13 potentially dangerous, 2 funny, 3 mysterious vulnerabilities

Hello everyone! In this episode, let’s take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my Vulristics vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August […]

Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws

August Patch Tuesday tackles 121 CVEs, 17 critical bugs and one zero-day bug exploited in the wild.

New Woody RAT Malware Being Used to Target Russian Organizations

An unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called Woody RAT for at least a year as part of a spear-phishing campaign. The advanced custom backdoor is said to be delivered via either of two methods: archive files and Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190)

Empower Your Security Operations Team to Combat Emerging Threats

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

You Need to Update Windows and Chrome Right Now

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign

Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine. The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

Update now!  Microsoft patches Follina, and many other security updates

Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now!  Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.

Patch Tuesday: Microsoft Issues Fix for Actively Exploited 'Follina' Vulnerability

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser. <!-

Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability

An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as DogWalk — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a

Follina Exploited by State-Sponsored Hackers

A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.

State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!   Talos... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Fighting Follina: Application Vulnerabilities and Detection Possibilities

Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now. The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

By Waqas The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a… This is a post from HackRead.com Read the original post: Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in

New Microsoft Zero-Day Attack Underway

"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Microsoft Office MSDT Follina Proof Of Concept

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation

Microsoft on Monday published guidance for a newly discovered zero-day security flaw in its Office productivity suite that could be exploited to achieve code execution on affected systems. The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows Server 2012 5015805 Download Windows 7, Windows Server 2008 R2 5015805 Download Windows Server 2008 SP2 5015805 Download On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default