Microsoft has detailed a workaround that allows administrators to protect their networks from a zero-day flaw in a Windows tool that hackers have exploited through malicious Word documents.

Over the weekend, security researchers discovered a malicious Word document that was uploaded to the malware sample-sharing service VirusTotal on May 25 from an IP address in Belarus.

Security researcher Kevin Beaumont discovered that the malicious document – or “maldoc” – was capable of executing code through the legitimate Microsoft Support Diagnostic Tool (msdt.exe), even with macros disabled. The malicious Word document calls MSDT in Windows via the ‘ms-msdt’ URL protocol.

Office Protected View — a feature that prevents macros from running in documents that come from the Internet — works as expected. However, malicious code can be executed if the Word document is converted to Rich Text Format (RFT) and then executed, according to Beaumont.

He described the bug as a “zero-day flaw allowing code execution in Office products,” which disregards user instructions to disable macros. At the time of its discovery, Microsoft Defender did not have detection for this attack, but that has since changed.

The Word-RTF macro attack worked on fully patched Office 2021, Office 2019, Office 2016 and Office 2013 products, according to Beaumont and other researchers.

Microsoft has assigned this bug the identifier CVE-2022-30190. The company hasn’t released a patch yet, but the Microsoft Security Response Center (MSRC) has given its description of the “MSDT vulnerability in Windows” and detailed workarounds, as well as an update to Defender with fixes. signatures for the attack.

“A remote code execution vulnerability exists when MSDT is invoked using the URL protocol from a calling application such as Word. An attacker who successfully exploited this vulnerability can execute arbitrary code with the privileges of the calling application. The attacker can then install programs, view, modify or delete data, or create new accounts in the context authorized by the user’s rights,” MSRC said.

Microsoft’s entry for CVE-2022-30190 indicates that it affects MSDT on all versions of Windows and Windows Server.

Microsoft has classified CVE-2022-30190 as a “significant” severity flaw and has provided the following instructions for disabling the MSDT URL protocol:

  • Run Command Prompt inasmuch as Administrator.
  • To backup the registry key, run the command “reg export HKEY_CLASSES_ROOTms -msdt filename“.
  • Run the command “reg delete HKEY_CLASSES_ROOTms -msdt /f”.

Microsoft has also provided instructions for undoing the workaround. He recommends that customers with Microsoft Defender Antivirus enable cloud-delivered protection and automatic sample submission.

Customers with Microsoft Defender for Endpoint (for business) can enable the “BlockOfficeCreateProcessRule” attack surface reduction rule that prevents Office applications from creating child processes.

The MSRC did not address the issue of the attack if the document is executed in RTF. However, it notes: “If the calling application is a Microsoft Office application, by default Microsoft Office opens documents from the Internet in Protected View or Application Guard for Office, which prevents the current attack.”

As Xavier Mertens describes for the SANS Internet Storm Center, opening the malicious Word document displays what appears to be a blank document. However, it contains an external reference pointing to a malicious URL from which a PowerShell payload is retrieved using the ms-msdt URL protocol. Office automatically processes the MSDT URL and runs the Powershell payload.

Microsoft’s zero-day “Follina” flaw is already being exploited in targeted attacks

A zero-day vulnerability has been discovered in Microsoft products by security researcher Nao_sec. Kevin Beaumont, also a cybersecurity specialist, documented the flaw in a blog post published on May 29.

A ZERO-CLICK ATTACK

Called “Follina”, this vulnerability affects 41 Microsoft products, including Windows 11 and Office 365. In practice, it allows malicious code to be executed remotely without user intervention. “The attacker can install programs, view, modify or delete data, or create new accounts within the framework authorized by the rights of the user“, specifies Microsoft in a security bulletin published on May 30.

Follina would already be exploited in the context of targeted attacks, according to information from the Government Center for Monitoring, Alerting and Responding to Computer Attacks (CERT-FR), a body of the National Agency for Systems Security. of information (Anssi). For its part, the company Proofpoint claimed that the flaw is currently being used by a group of attackers sponsored by the Chinese government to target the Tibetan community.

NO FIX JUST WORKAROUNDS

For the moment, no patch has yet been released by the American company. It offers workarounds. Thus, it indicates that if the file is opened by an Office application, Protected View mode or Application Guard for Office is engaged and prevents the payload from running.

However, several researchers have indicated that this flaw could be exploited using a document in RTF format (file format designed by Microsoft). In this case, the payload could thus be retrieved and executed when the document is previewed, for example in Windows Explorer, and therefore without it being opened by the user.

The Cybersecurity and Infrastructure Security Agency (CISA), the US federal agency responsible for improving the level of computer security of public entities, urged users and administrators to apply the workarounds proposed by Microsoft as quickly as possible.

This is not the first time that Microsoft products contain zero-day flaws, which hackers have seized. In March 2021, business email software Exchange was targeted by Hafnium, a group of Beijing-linked cybercriminals. The European Banking Authority (EBA), ministries, law firms… had thus been attacked.

Windows 11 22H2 will ship a trifle of 35 native applications

Windows 22H2 has just gone into RTM, that is to say that the numbered build 22621 offered to members of the Windows Insider program will be the one offered to the general public in a few weeks.

New creative and multimedia applications available

Users who have received this new version have obviously made the rounds of the owner to discover the new features and improvements made by Microsoft for this first major update of the operating system.

The beta testers have in particular set about counting the applications offered by the publisher in its new OS. For this new build, no less than 35 software will be available after installing the update, and not counting PowerShell, Microsoft Edge or the language pack which require manual installation.

In detail, and without being exhaustive, we can cite the presence of Media Player, which replaces Groove Music for playing audio titles, or the Clipchamp video editor. The latter was purchased by Microsoft in 2021 and will now ship by default in Windows 11 to allow users to easily edit small clips and add effects, titles or music. Historical users of the late Windows Movie Maker will thus be able to find a simple solution for their holiday movies.

Microsoft allows you to uninstall most of these software

Maybe you don’t need all those apps, which take up space in your storage. Rest assured, Microsoft has thought of you and allows you to remove most of it.

To do this, several solutions are available to you, depending on the software. For most of them, it will be enough to go to the Application section of your PC settings, click on “Apps and features”, then right-click on the software you want to remove, and finally, click on “Uninstall”.

For nine of them, however, you will have to get your hands dirty and go through PowerShell to get there. The operation is reserved for confirmed users. Finally, the Microsoft Store cannot be uninstalled. Windows 22H2 will also allow users who wish to create their own ISO file to remove almost all software included with the OS.

Windows 22H2 is expected in the second half of 2022, possibly after the summer, the time that Microsoft completes the deployment of Windows 11 on its entire user base.

Microsoft Office: how to protect yourself from this huge security flaw used to hack you

Microsoft alerts us to an actively exploited security flaw affecting the Office suite. The company also presents the solution to be put in place to deactivate the functionality in question quickly.

If you use Microsoft Office 2021,2019, 2016, 2013 or Professional Plus, you are affected by this security vulnerability, the severity of which is high: 7.8 out of 10. According to Microsoft, the vulnerability in question, called Follina , has been actively used by hackers since April.

Specifically, it is a corrupt Word document that claims to be issued by the Sputnik news agency. Indeed, the first hacking attempts concerned Russian citizens, with a document called “приглашение на интервью”, which can be translated as “request for an interview”.

Categorized in: