Zero-day vulnerability in MS Office: Microsoft makes recommendations

The manufacturer has now published recommendations for action on the zero-day security gap in Microsoft Office that became known on Monday of this week. Attackers can use the vulnerability with maliciously manipulated Word documents to inject malicious code. The gap is currently being analyzed in more detail by many IT security experts.

Microsoft classified the vulnerability as high risk. The company does not locate the error in the Office package, through which previous attacks took place with a maliciously manipulated Word document. The vulnerability affects the Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-30190, CVSS 7.8risk “high“).

Specifically, Microsoft explains the vulnerability as follows: A vulnerability that allows arbitrary code to be executed from the network occurs when MSDT with the URL protocol is called from an application such as Word. An attacker who successfully exploited the vulnerability could run arbitrary code with the privileges of the calling application. This makes it possible, for example, to install programs, view, change or delete data or create new accounts in the context of user rights.

in one Microsoft Security Response Center blog post IT security experts explain countermeasures. Administrators can take these steps to mitigate the impact of the vulnerability and stop it from being abused by attackers.

The first recommendation is consistent with one of the ideas the SANS Institute developed Monday: disabling the MSDT URL protocol handler. However, Microsoft explains the side effects that this step has. For example, removing the MSDT URL protocol means that troubleshooting components can no longer be launched as links. However, these can still be accessed through the Get Help app and in System Preferences as different or additional troubleshooting modules.

According to Microsoft’s instructions, administrators should open an administrative command prompt to remove the URL handler for MSDT. The command reg export HKEY_CLASSES_ROOT\ms-msdt <Dateiname> saves the previous registry key to the file <Dateiname>. Then delete the call to reg delete HKEY_CLASSES_ROOT\ms-msdt /f the relevant key. To restore it later, just call up reg import <Dateiname> at the administrative command prompt.

The manufacturer lists further settings optimizations for the professional Microsoft Defender. So admins should enable cloud protection and automatic sample transfer. The company also recommends enabling the policy BlockOfficeCreateProcessRulewhich is designed to stop a technique often used in malware attacks that causes Office to start new child processes.

Furthermore, the developers have provided the Defender with new detections that are supposed to report malicious documents. The names are

  • Trojan:Win32/Mesdetty.A
  • Trojan:Win32/Mesdetty.B
  • Behavior:Win32/MesdettyLaunch.A
  • Behavior:Win32/MesdettyLaunch.B
  • Behavior:Win32/MesdettyLaunch.C

IT managers who manage larger installations with the Microsoft 365 Defender Portal can find indications of attempted attacks on the vulnerability with the descriptions

  • Suspicious behavior by an Office application
  • Suspicious behavior by Msdt.exe

Microsoft further explains that the “protected view” of documents originating from the Internet protects against the exploit; likewise the Application Guard for Office. However, administrators should not rely on this for protection: users can deactivate the protected view with one click in the open document.


To home page

Leave a Comment