Over the weekend, security researchers discovered a malicious Word document that was uploaded to Google-owned VirusTotal on 25 May from an IP address in Belarus. Security researcher Kevin Beaumont found that the malicious document – or ‘maldoc’ – was allowed to execute code via the legitimate Microsoft Support Diagnostic Tool (msdt.exe) even when macros are disabled. The malicious Word document calls up MSDT in Windows via the ‘ms-msdt’ URL protocol. MSDT launches ’troubleshooter packs’. Office Protected View – a feature that prevents macros from running in documents from the internet – functions as expected. However, malicious code can be executed if the Word document is converted to Rich Text Format (RFT) and then run, according to Beaumont. SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systems He described the bug as a “zero-day allowing code execution in Office products”, which disobeys user instructions to disable macros. At the time, Microsoft Defender had no detection for this attack, although that’s since changed. The Word-RTF macro attack worked on fully patched Office 2021, Office 2019, Office 2016, and Office 2013, according to Beaumont and other researchers. Microsoft has now assigned the bug the identifier CVE-2022-30190. It hasn’t released a patch for it yet, but the Microsoft Security Response Center (MSRC) has given its description of the “MSDT in Windows vulnerability” and detailed workarounds, as well as updated Defender with signatures for the attack. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” MSRC said. Microsoft’s entry for CVE-2022-30190 indicates it affects MSDT on all versions of Windows and Windows Server. Microsoft rated CVE-2022-30190 as an ‘important’ severity flaw and has provided the following instructions to disable the MSDT URL protocol, which prevents MSDT’s troubleshooter packs from being launched as links: Microsoft has also provided instructions for undoing the workaround. It recommends customers with Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission. Customers with Microsoft Defender for Endpoint (for enterprise) can enable the attack surface reduction rule ‘BlockOfficeCreateProcessRule’ that blocks Office apps from creating child processes. Microsoft says its Defender Antivirus “provides detections and protections for possible vulnerability exploitation … using detection build 1.367.719.0 or newer”. The signatures for the malicious files include:
Trojan:Win32/Mesdetty.ATrojan:Win32/Mesdetty.BBehavior:Win32/MesdettyLaunch.ABehavior:Win32/MesdettyLaunch.BBehavior:Win32/MesdettyLaunch.C
MSRC didn’t address the question of the attack if the document is run in RTF. However, it notes: “If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.” As Xavier Mertens described for the SANS Internet Storm Center, opening the malicious Word document displays what seems like a blank document. However, it contains an external reference pointing to a malicious URL from which a PowerShell payload is fetched using the ms-msdt URL protocol. Office automatically processes the MSDT URL and executes the Powershell payload. Will Dormann, a vulnerability analyst at CERT/CC, noted on Twitter that the flaw was “very similar to the MSHTML CVE-2021-40444” flaw from September. Given that Microsoft hasn’t released a patch for the new flaw, Dormann recommends disabling the MSDT protocol.