If you've ever contacted Microsoft support directly about some issue in your Windows or Windows Server system, you have possibly been directed to use Microsoft Support Diagnostic Tool (MSDT). You can open it by typing msdt in Windows Run (Win + R) after which you'll be asked for a passkey provided by the support representative. Once you enter this, you will be able to run some diagnostics and send the results directly to Microsoft for further analysis.
However, Microsoft has now issued an advisory about a remote code execution (RCE) vulnerability present in MSDT. The security flaw affects virtually all supported versions of Windows and Windows Server, including Windows 7, 8.1, 10, 11, Windows Server 2008, 2012, 2016, 2019, and 2022.
The issue in question is being tracked under CVE-2022-30190 and has a high severity level. Although Microsoft hasn't gone into the full details - likely because the flaw has not been patched yet -, it has explained that RCE can happen when MSDT is invoked using the URL protocol from a calling application, such as Microsoft Word.
The attacker will be able to run arbitrary code that can view, delete, or alter your files through the privileges of the calling application. So, for example, if MSDT is invoked through Microsoft Word running with admin privileges, an attacker would get the same admin privileges - which is obviously not good.
For now, Microsoft has recommended disabling MSDT through the following commands that you can run in Command Prompt:
- Run Command Prompt as Administrator
- To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt filename"
- Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f"
However, if you later find out that you'd rather take the risk because MSDT is critical to your workflow, you can revert the workaround through the following process:
- Run Command Prompt as Administrator.
- To reimport the registry key, execute the command "reg import filename"
As it currently stands, Microsoft is still working on a fix. It has highlighted that the security flaw is being exploited in the wild so it is important to enable cloud-delivered protection and automatic sample submission through Microsoft Defender. Meanwhile, Microsoft Defender for Endpoint customers should also configure policies to reduce the attack surface from child processes of Office apps.
6 Comments - Add comment