SECURITY ALERT: Zero-Day Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 Enables Remote Code Execution
What is CVE-2022-30190? Workarounds and Cybersecurity Advice.
On Monday, Microsoft’s Security Response Center issued an advisory on CVE-2022-30190, a newly-discovered zero-day vulnerability that may enable threat actors to run arbitrary code with user-type rights. According to the note, the vulnerability is related to the in-app calling of MSDT (Microsoft Support Diagnostic Tool) via an URL protocol. Microsoft is currently working on a permanent fix, but no timeline has been made available. In the meantime, Microsoft advises users to implement workarounds.
What is CVE-2022-30190?
CVE-2022-30190 is a remote code execution vulnerability found to affect hosts that call upon MSDT from applications such as Word or Excel. Upon interaction, the user will get redirected to MS’s Support via an URL protocol. During data transmission, an interceding threat actor could obtain local user privileges in order to run malicious arbitrary code on the host machine.
Furthermore, according to Microsoft, if successfully exploited, the vulnerability would grant an attacker the same type of privileges (e.g., delete data, modify data, view data, or create a new account) as the ‘calling’ application. To date, there’s no official fix to the MSDT vulnerability. Microsoft has made available several workarounds; temporary fixes that can prevent in-application calling.
Per Microsoft’s advisory, disabling the MSDT URL protocol has proven to be the most effective workaround. To disable the said protocol, please follow these steps.
Step 1. Run Command Prompt as Administrator.
Step 2. Back up the MSDT registry key. Type in or paste the following command:
“reg export HKEY_CLASSES_ROOT\ms-msdt filename” (ignore the double inverted commas)
Step 3. Delete the MSDT registry key. Please type in or paste the following command to delete the registry key:
“reg delete HKEY_CLASSES_ROOT\ms-msdt /f” (ignore the double inverted commas).
The modification can be undone by running CMD with admin privileges and typing in
“reg import filename”
Another workaround would be to get support either by using the Get Help application or any other type of troubleshooter.
Additional Cybersecurity Advice
While waiting for the official Microsoft fix, you may want to try out some of these tips in order to safeguard your machines against CVE-2022-30190.
- Curbing user privileges. Bear in mind that the threat actor exploiting this defect can obtain the same level of rights as the ‘calling’ application. Heimdal™ advocates for tighter user permissions. Solutions like Privileged Access Management (PAM) can automatically curb user rights while preventing the user from obtaining higher privileges or creating new accounts.
- Avoid using the tool. Most common issues can be remedied by consulting the documentation. If all else fails, use the Get Help application.
- Timely deployment. It may take a while for Microsoft to publish an actionable fix. Thus, in the interest of time – and security – please implement the above-mentioned workaround as soon as possible.