Microsoft reveals workaround for Office zero-day vulnerability that can be used to launch malicious PowerShell commands

Colorful Microsoft logo

While Microsoft may be quick to point out security vulnerabilities in other companies' products, its own software is far from infallible. A good example of this is the recently discovered 'Follina' security hole that affects Microsoft Office.

The vulnerability can be exploited to launch PowerShell and execute a variety of malicious commands; all that a victim needs to do is open a specially crafted Word file. Tracked as CVE-2022-30190, Microsoft has released details of a workaround that helps to mitigate the issue.

See also:

Advertisement

Details of the vulnerability were shared on Twitter by security researcher nao_sec. But while the tweet post late last week brought the security flaw to the attention of a wider audience, it was not the first that had been heard of it -- there were reports as far back as April.

nao_sec's tweet reads:

While Microsoft is not referring to the vulnerability as a zero-day, the company has acknowledged its existence, saying:

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.

The company has also shared details of a workaround which involves disabling the MSDT URL protocol:

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

1. Run Command Prompt as Administrator.

2. To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt filename"

3. Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f".

Microsoft also says:

Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule "BlockOfficeCreateProcessRule" that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy.

More information is available in a blog post in the Microsoft Security Response Center.

Image credit: Sundry Photography / Shutterstock

© 1998-2022 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.