After the company’s Security Response Center initially classified a discovered vulnerability as irrelevant, Microsoft revised its position. According to the MSRC team, this is a zero-day vulnerability. The BSI already reports that it is being actively abused.
The error is in the Microsoft Support Diagnostic Tool. This zero-day vulnerability can be used to automatically open a search window, which can be used to run malware remotely, simply by launching a Word document. That’s what security researchers at Proofpoint discovered. They reported the vulnerability under CVE-2022-30190, described the issue, and named the vulnerability “Follina”.
The perfidious thing about this is that attackers can send a correspondingly manipulated Office file that doesn’t even need to be opened to exploit the vulnerability – it’s enough to call up a preview version by clicking on it with the mouse. The BSI therefore now warns against exploitation and strongly recommends using a guide published by Microsoft to fix the problem (you can find the guide at the end of the article) until there is an update.
The vulnerability could be exploited because Windows supports a URI protocol handler called “search-ms” that allows applications and HTML links to initiate custom searches on a device. While most Windows searches search the local device index, it is also possible to force Windows searches to search file shares on remote hosts and use a custom search window title.
According to the security researchers, all versions of Windows 7, Windows 10, and Windows 11 are affected. Microsoft has already published guidelines to mitigate the vulnerability in the Microsoft Support Diagnostic Tool.
A remote code execution vulnerability exists when MSDT is called over the URL protocol from an application such as Word. An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the calling application. The attacker can then install programs, view, modify or delete data, or create new accounts in the context allowed by the user rights.
- To disable the MSDT URL protocol:
- Disabling the MSDT URL protocol prevents troubleshooters from launching as links, including operating system-wide links. Troubleshooters are still accessible through the Get Help application and in System Preferences as other or additional troubleshooters. Follow the steps below to unsubscribe:
- Run the command prompt as an administrator.
- To backup the registry key, run the command “reg export HKEY_CLASSES_ROOTms-msdt filename”
- Run the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.
In which blog post the team explains other tips, including for Microsoft Defender for Endpoint customers.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.