Last week Cybersecurity researchers uncovered a zero-day flaw in Microsoft Office 365 that can be exploited to enable Arbitrary Code Execution (ACE) on Windows systems. Multiple versions of Microsoft Office are said to be affected, including Office 2021 and Office 2016, although suspicion falls on any and all versions until the research is completed with a clear picture of the extent of the vulnerabilities.
The flaw was discovered by nao_sec, a cybersecurity research team that found a Word document that was uploaded from a Belarus IP address to VirusTotal, a website created by the Spain-based Cybersecurity firm Hispasec Sistemas, which is owned by a subsidiary of Google.
The title of the Word document was ’05-2022-0438.doc’ which was flagged by 38 Security companies as containing malicious content. On May 27, nao_sec put out a tweet alerting the public to the flaw, citing that the malicious document “uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.”
What is PowerShell and why it is used?
PowerShell is a scripting language that is used for automating tasks and the overall management of systems. Once a bad guy gets into your PowerShell, they become capable (and more than willing) to unleash a world of hurt.
PowerShell is one area of concern, but like many malicious attacks, cybercriminals engineer the malware’s tentacles to slither into other vital areas as well. Using Microsoft Office to open Microsoft Diagnostics Tool (MSDT) file handler, the malware acquires the necessary permissions to move laterally through the infected system granting itself further user privileges.
Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
According to "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability", released by Microsoft on May 30:
Workarounds
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
1. Run Command Prompt as Administrator
2. To back up the registry key, execute the command” reg export HKEY_CLASSES_ ROOT\ms-msdt filename”
3. Execute the command ”reg delete HKEY_CLASSES_ ROOT\ms-msdt/f”
How to undo the workaround
1. Run Command Prompt as Administrator
2. To restore the registry key, execute the command ‘reg import filename“
Be very careful in personally these steps if you are doing it without assistance. For a business with either in-house IT support or outsourced Managed IT Services, check that they already know about the above workaround. If they are unaware of Microsoft’s instructions, you have a bigger problem than just this zero-day Microsoft Office flaw – you are using incompetent or lazy IT services, and successful cyber-attacks are going to eat your lunch sooner or later – and THAT’S a promise..
What is Microsoft zero-day?
In a nutshell, this new zero-day flaw allows attackers to gain remote code execution whenever an end-user downloads a malicious Word document. This remote code execution allows a cybercriminal to breach your system and invade PowerShell to delete data, create new accounts and install programs.
Before they are discovered, it is extremely difficult for even the best IT support to find zero-day vulnerabilities. It is a needle in a haystack – one thread of code buried in the approximately thirty million lines of code in Microsoft Office. It would be a monumental task for any IT Services to find it – but they don’t even know to look for it until it causes problems.
Once aware of the problem, your in-house IT support or outsourced Managed IT Services provider should notify users of the issues, with ways to counter the problem until the software provider – in this case, Microsoft – effects a permanent fix.
Frequently Asked Questions
Q: Why is it called zero-day?
A: Because when a vendor or developer discovers a flaw in their software that results in an exploitable vulnerability, it means they have ‘zero days’ to get it fixed. But they are rarely fixed in a day. A zero-day attack simply means that cybercriminals exploit the vulnerability before the developers get it fixed.
Q: Are zero-day attacks common?
A: They are quite common and growing every year – especially since March of 2020. The Ponemon-Sullivan Privacy Report stated that the percentage of security breaches that came as the result of a zero-day attacks had already reached 80% by May of 2020.
Q: What is zero day patching?
A: A zero-day patch fixes the flaw the same day the vulnerability was discovered. In this recent flaw, Microsoft has yet to issue a patch, but responded immediately with the previously mentioned ‘workarounds’ while they work on a permanent solution.
Q: How are zero day attacks discovered?
A: Most of the time, hackers find them first – because they are actively looking for them as part of their overall criminal modus operandi. They find usable vulnerability, figure out the best way to exploit it, then execute an attack.
In this case, the independent researchers at nao_sec stumbled across a Word document that showed unusual peculiarities. Sometimes, the developer discovers them, and occasionally an end-user finds them when a program is behaving oddly.
Q: Do I need PowerShell on my computer?
A: Yes, but at times it is a good idea to disable it to deal with malicious content. It is not only convenient for the easy performance of necessary tasks by just typing in simple commands, but it is also an essential application within your Operating System (OS).
Is your network efficient and secure?
As a reputable member of the IT Support Los Angeles community since 2002, IT Support LA offers a FREE, no-risk network and security assessment. It is a non-intrusive scan that allows us to deliver a comprehensive report that is yours to keep. No strings, and no obligation to ever use our Managed IT Services.
The best defense is the best Cybersecurity to protect your data from theft, and a top-notch Managed IT Services firm to ensure continued reliability and defenses against newly emerging threats.
Just fill out the form on this page or call us at:
818-805-090