Attackers are actively exploiting a zero day vulnerability in many current versions of Office, Office 365, and Windows that requires no user interaction and can be used to gain remote code execution on target machines.
Researchers have confirmed that the flaw (CVE-2022-30190) is present in Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365. The bug also is present in most versions of Windows and Windows Server. Microsoft has issued an advisory, but there is no patch available yet. Working exploit code is circulating and the exploitation attempts that have been seen so far mainly employ malicious Word documents. The vulnerability is in the Microsoft Support Diagnostics Tool (MSDT), a utility that collects data and sends it to Microsoft for analysis when users are having issues.
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” the Microsoft advisory says.
The first public indications of this vulnerability and the exploits against it emerged on May 27 when nao_sec, a security research team, tweeted a link to a malicious document that had been uploaded to VirusTotal from Belarus. The document had been used to target victims in Russia. Other researchers quickly began looking into the issue and details of the underlying vulnerability and the exploit’s inner workings soon emerged. In the malicious document that nao_sec shared, there is a reference to an external HTML document stored on a site that is no longer online.
“This HTML document begins with a script tag and includes a significant amount of commented A characters, which (considering they are just comments), would seem to serve no purpose… but from our testing, a hefty amount of characters is necessary for the exploit to fire,” researcher John Hammond of Huntress wrote in an analysis of the vulnerability and exploit.
“After some testing, it was clear that the payload would not execute without a significant number of padding characters (the A’s that were present in the HTML comments).”
Although there are no patches available at this point, there are some mitigations that effectively eliminate the known attack vector. Microsoft’s guidance is to disable the MSDT URL protocol, which can be done from the command line in Windows.
“Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” the advisory says.
The vulnerability was first reported to Microsoft in mid-April by a researcher who informed the Microsoft Security Response Center that he had found the exploit in the wild. The MSRC did not consider it a security issue at the time and closed the ticket, and the issue was reported again on Friday, leading to the advisory. The seriousness of the issue is now quite clear.
“This is a 0-day attack that sprung up out of nowhere, and there’s currently no patch available. This 0-day features remote code execution, which means that once this code is detonated, threat actors can elevate their own privileges and potentially gain “god mode” access to the affected environment,” Hammond said in his analysis.
“The mitigations that are available are messy workarounds that the industry hasn’t had time to study the impact of. They involve changing settings in the Windows Registry, which is serious business because an incorrect Registry entry could brick your machine. Detonating this malicious code is as simple as opening up a Word doc—in preview mode.”