This Windows Error Opens a Backdoor for Hackers Through Microsoft Word

Microsoft has worked out a solution for administrators to protect their networks from a zero-day flaw in a Windows tool that hackers exploited through malicious Word documents.

This weekend, security researchers discovers a malicious Word document uploaded to the malware sample-sharing service VirusTotal from an IP address in Belarus on May 25.

Macros enabled

Security researcher Kevin Beaumont discovered that the malicious document – or “maldoc” – was able to execute code through the legitimate Microsoft Support Diagnostic Tool (msdt.exe), even with its macros disabled. The malicious Word document calls MSDT in Windows via the ‘ms-msdt’ URL protocol.

Office Protected View – a service that prevents macros from running in documents from the web – works as expected. However, malicious code can be executed if the Word document is converted to Rich Text Format (RFT) and then executed, according to Kevin Beaumont.

This “zero-day flaw allows code execution in Office products” and ignores user instructions to disable macros, the researcher explains. At the time of discovery, Microsoft Defender had no detection for this attack, but that has since changed.

Workarounds while waiting for resolution

The Word RTF macro attack works on fully patched Office 2021, Office 2019, Office 016 and Office 2013 products, according to Kevin Beaumont and other researchers.

Microsoft identified this error as CVE-2022-30190. While there is no patch yet, the Microsoft Security Response Center (MSRC) has described the “MSDT vulnerability in Windows” and communicated detailed fixes, as well as a Defender update with signatures for the attack.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol of a calling application such as Word. An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the calling application. The attacker can then install programs, view, modify or delete data, or create new accounts in the context authorized by the user’s rights,” the MSRC said.

A Big Gravity Error

Microsoft specifies that the CVE-2022-30190 error affects MSDT on all versions of Windows and Windows Server. Its severity is “considerable”.

To disable MSD’s URL protocol, here are Microsoft’s instructions:

  1. run Command Prompt as administrator;
  2. to backup the registry key, run the command: reg export HKEY_CLASSES_ROOT\ms-msdt file name
  3. run the command reg remove HKEY_CLASSES_ROOT\ms-msdt /f

Microsoft has also provided instructions to undo the workaround. The company recommends that customers with Microsoft Defender Antivirus enable cloud-delivered protection and automatic preview submission.

Microsoft Defender for Endpoint (for enterprise) customers can enable the attack surface reduction rule BlockOfficeCreateProcess Rule preventing Office applications from creating child processes.

Microsoft says its Defender Antivirus “provides detection and protection for potential exploits of vulnerabilities” […] with version 1.367.719.0 or higher”. The signatures of the malicious files are as follows:

  • Trojan:Win32/Mesdetty.A (in English)
  • Trojan:Win32/Mesdetty.B (in English)
  • Behavior:Win32/MesdettyLaunch.A (Behaviour: Win32/MesdettyLaunch.A)
  • Behavior:Win32/MesdettyLaunch.B
  • Behavior:Win32/MesdettyLaunch.C

Apply workaround

The MSRC has not addressed the issue of the attack if the document is output in RTF. However, he notes that “if the calling application is a Microsoft Office application, by default Microsoft Office opens documents from the web in Protected View or Application Guard for Office, which prevents the current attack.”

As Xavier Mertens describes for the SANS Internet Storm Center, opening the malicious Word document shows what appears to be a blank document. However, it contains an external reference pointing to a malicious URL from which a PowerShell payload is retrieved using the ms-msdt URL protocol. Office automatically handles the MSDT URL and executes the Powershell payload.

Will Dormann, vulnerability analyst at CERT/CC, says on Twitter that the error “very similar to MSHTML error CVE-2021-40444” from September. Since Microsoft has not released a patch for this new bug, the analyst recommends disabling the MSDT protocol.

CERT-FR has also published a warning about this vulnerability, in which it recommends applying the workaround recommended by Microsoft. The document also provides a Sigma rule to detect exploits of the vulnerability on the system.


Leave a Reply

Your email address will not be published.