All insights

Microsoft Office “Follina” Zero-Day (CVE-2022-30190)

A white Office logo with an orange background

Read the latest news on CVE-2022-30190

May 31, 20223 min read

What Is It?

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

How Does It Work?

Though there very likely may be other ways to trigger or abuse this vulnerability, the exploit works like this:

  • You open a poisoned/malicious Office Documents (such as a Word .docx file.)
  • The document references a regular-looking https: URL, that automatically gets downloaded.
  • This https: URL references an HTML file that contains some JavaScript code.
  • That JavaScript references a URL with the identifier ms-msdt: instead of https:.
  • The command line is supplied to the Microsoft Support Diagnostic Tool (MSDT) via the URL type ms-msdt:, causing MSDT to run the untrusted code.

When invoked, the malicious ms-msdt: link triggers the MSDT utility with command line arguments like this: msdt /id pcwdiagnostic.

Unfortunately, the threat actors currently putting this exploit into action appear to have discovered a way, utilizing very unusual but crafty options, to make the MSDT troubleshooter work completely silently and without the need for user interaction.

Instead of the user being prompted on how they would like to proceed, the threat actors have crafted a sequence of parameters that not only cause operation to proceed automatically but also to invoke a PowerShell script along the way. Even worse, this PowerShell script doesn’t have to be on disk already – it can be provided in scrambled source code form right on the command line itself, along with all the other options used.

In response to past malicious Word document attacks, many organizations have moved forward with disabling Visual Basic for Applications (VBA) Office macros which, while a very good security practice to follow, unfortunately does not mitigate the risk for this particular vulnerability.

What Can Be Done?

Proof-of-Concept code is publicly available and this vulnerability is actively being exploited in the wild. While Microsoft has not released a patch (or a timeline as to when they may issue a patch) the best work around currently is to break the relationship between ms-msdt: and the MSDT application by performing the following:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command
    • reg export HKEY_CLASSES_ROOT\ms-msdt filename
  • Execute the following command:
    • reg delete HKEY_CLASSES_ROOT\ms-msdt /f

The teams here at CulperSec are constantly Threat Hunting, reviewing the latest advisories and creating and reviewing the latest detections. CulperSec is here to assist you with all of your cybersecurity needs.

Continue reading

More perspectives

View the archive

Put insight to work

Bring the right security expertise to the next decision.

Tell us what your organization is facing. We will help define the practical next step.

Start a conversation