Microsoft publishes workaround for zero-day leak in Support Diagnostic Tool

Microsoft has published recommendations to mitigate the risks of a newly discovered zero-day vulnerability in the Microsoft Support Diagnostic Tool. Users can disable MSDT’s URL protocol.

By opening the Windows Command Prompt as an administrator and then running reg delete HKEY_CLASSES_ROOT\ms-msdt /f, users can disable the MSDT URL protocol. Microsoft recommends backing up the registry key first, by running reg export HKEY_CLASSES_ROOT\ms-msdt filename. With the command reg import filename, the workaround can be undone and the help software can be started again.

Microsoft is publishing the advisory after a zero-day vulnerability was found in the Microsoft Support Diagnostic Tool. The vulnerability concerns calling this tool by means of a URL, for example via a Word document. An exploited attacker could remotely execute arbitrary code with the privileges of the program that calls the URL protocol, such as Word. The vulnerability has the designation CVE-2022-30190 and affects Windows versions from Windows 7 through Windows 11 and Windows Server 2022.

Security researchers discovered the vulnerability over the weekend and gave them the name Follina. It was suspected that it was an Office vulnerability, but according to Microsoft it is about the way in which the MSDT URL protocol is called within Windows. The researchers found a doc file with an https: URL that actually activated ms-msdt: with JavaScript code, and with it the diagnostics tool. Using the command line, attackers can launch the Program Compatibility Troubleshooter and simultaneously launch PowerShell scripts, such as downloading and launching malware.