Zero-Day Flaw Found in Microsoft Office 365

Last week Cybersecurity researchers uncovered a zero-day flaw in Microsoft Office 365 that can be exploited to enable Arbitrary Code Execution (ACE) on Windows systems. Multiple versions of Microsoft Office are said to be affected, including Office 2021 and Office 2016, although suspicion falls on any and all versions until the research is completed with a clear picture of the extent of the vulnerabilities.

The flaw was discovered by nao_sec, a cybersecurity research team that found a Word document that was uploaded from a Belarus IP address to VirusTotal, a website created by the Spain-based Cybersecurity firm Hispasec Sistemas, which is owned by a subsidiary of Google.

The title of the Word document was ’05-2022-0438.doc’ which was flagged by 38 Security companies as containing malicious content. On May 27, nao_sec put out a tweet alerting the public to the flaw, citing that the malicious document “uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.”

What is PowerShell and why it is used?

PowerShell is a scripting language that is used for automating tasks and the overall management of systems. Once a bad guy gets into your PowerShell, they become capable (and more than willing) to unleash a world of hurt.

PowerShell is one area of concern, but like many malicious attacks, cybercriminals engineer the malware’s tentacles to slither into other vital areas as well. Using Microsoft Office to open Microsoft Diagnostics Tool (MSDT) file handler, the malware acquires the necessary permissions to move laterally through the infected system granting itself further user privileges.
Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

According to "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability", released by Microsoft on May 30:

Workarounds

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

1. Run Command Prompt as Administrator
2. To back up the registry key, execute the command” reg export HKEY_CLASSES_ ROOT\ms-msdt filename”
3. Execute the command ”reg delete HKEY_CLASSES_ ROOT\ms-msdt/f”

How to undo the workaround

1. Run Command Prompt as Administrator
2. To restore the registry key, execute the command ‘reg import filename“

Be very careful in personally these steps if you are doing it without assistance. For a business with either in-house IT support or outsourced Managed IT Services, check that they already know about the above workaround. If they are unaware of Microsoft’s instructions, you have a bigger problem than just this zero-day Microsoft Office flaw – you are using incompetent or lazy IT services, and successful cyber-attacks are going to eat your lunch sooner or later – and THAT’S a promise..

What is Microsoft zero-day?

In a nutshell, this new zero-day flaw allows attackers to gain remote code execution whenever an end-user downloads a malicious Word document. This remote code execution allows a cybercriminal to breach your system and invade PowerShell to delete data, create new accounts and install programs.

Before they are discovered, it is extremely difficult for even the best IT support to find zero-day vulnerabilities. It is a needle in a haystack – one thread of code buried in the approximately thirty million lines of code in Microsoft Office. It would be a monumental task for any IT Services to find it – but they don’t even know to look for it until it causes problems.

Once aware of the problem, your in-house IT support or outsourced Managed IT Services provider should notify users of the issues, with ways to counter the problem until the software provider – in this case, Microsoft – effects a permanent fix.