Warning: Zero-day vulnerability in Microsoft Office allows code smuggling [CISO, 02.06.2022] Please take the countermeasure described here
Since yesterday (30.5.2022) a zero-day(*) vulnerability in Microsoft Windows is known, which can be exploited via manipulated Office documents.
IT security researchers have discovered Word documents that load and execute malicious code from the Internet when opened. And this even though macro execution is deactivated. However, the victims have to deactivate the “protected view” of a manipulated document.
In the meantime, numerous instructions can be found on the internet that explain how to actually exploit the security vulnerability. Even easy-to-use scripts for creating malicious documents are already included.
Background
Microsoft Office executes the code by means of the diagnostic tool msdt.exe, e.g. when calling help page links in Office. And it does so even if the execution of macros has been deactivated in the settings. However, the protected view is activated first.
With a little help, however, attackers can increase the danger: If the document is changed to RTF format, the code already runs without the file being opened by the user. This happens in the Windows Explorer preview. There (of course) without a “protected view”.
Remedy
- Do not use external RTF documents (the preview in Windows Explorer is already enough for infection).
- Never switch off the “protected view” (in which the documents are opened by default) for MS Office documents coming from outside without having checked with the sender that the document is harmless (but not “in reply” to the received mail, but better by telephone or with a new mail).
- Remove the registry key described below and thus disable the misused diagnostic tool.
Disable the diagnostic tool (as administrator)
To remove the URL handler for MSDT, administrators should open an administrative prompt, according to Microsoft’s instructions.
The command
reg export HKEY_CLASSES_ROOT\ms-msdt <filename>
saves the previous registry key in the file <file name>.
Subsequently, the call to
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
deletes the key in question.
For later recovery (after there will be a patch from Microsoft) it is then sufficient to call up
reg import <filename>
at the administrative prompt.
Side effect :
Removing the MSDT URL protocol means that problem-solving components can no longer be launched as links (in the Office products).
However, these can still be accessed via the “Get Help” app and in the system settings as other or additional problem-solving modules.
(*) Zero-day means: there is no update/patch from the manufacturer yet, but there are already known cases where the vulnerability is exploited.
Sources