Jump to content
  • Microsoft issues warning about RCE exploit in its Windows diagnostic tool

    aum

    • 1 comment
    • 576 views
    • 2 minutes
     Share


    • 1 comment
    • 576 views
    • 2 minutes

    If you've ever contacted Microsoft support directly about some issue in your Windows or Windows Server system, you have possibly been directed to use Microsoft Support Diagnostic Tool (MSDT). You can open it by typing msdt in Windows Run (Win + R) after which you'll be asked for a passkey provided by the support representative. Once you enter this, you will be able to run some diagnostics and send the results directly to Microsoft for further analysis.


    However, Microsoft has now issued an advisory about a remote code execution (RCE) vulnerability present in MSDT. The security flaw affects virtually all supported versions of Windows and Windows Server, including Windows 7, 8.1, 10, 11, Windows Server 2008, 2012, 2016, 2019, and 2022.


    The issue in question is being tracked under CVE-2022-30190 and has a high severity level. Although Microsoft hasn't gone into the full details - likely because the flaw has not been patched yet -, it has explained that RCE can happen when MSDT is invoked using the URL protocol from a calling application, such as Microsoft Word.


    The attacker will be able to run arbitrary code that can view, delete, or alter your files through the privileges of the calling application. So, for example, if MSDT is invoked through Microsoft Word running with admin privileges, an attacker would get the same admin privileges - which is obviously not good.
    For now, Microsoft has recommended disabling MSDT through the following commands that you can run in Command Prompt:

     

    •  Run Command Prompt as Administrator
    •  To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt filename"
    •  Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f"


    However, if you later find out that you'd rather take the risk because MSDT is critical to your workflow, you can revert the workaround through the following process:

     

    •  Run Command Prompt as Administrator.
    •  To reimport the registry key, execute the command "reg import filename"


    As it currently stands, Microsoft is still working on a fix. It has highlighted that the security flaw is being exploited in the wild so it is important to enable cloud-delivered protection and automatic sample submission through Microsoft Defender. Meanwhile, Microsoft Defender for Endpoint customers should also configure policies to reduce the attack surface from child processes of Office apps.

     

    Source

    • Like 2
    • Thanks 1

    User Feedback

    Recommended Comments



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...