Microsoft Releases Workaround for Zero-Day Leak in Support Diagnostic Tool
Microsoft has published recommendations to mitigate the risks of a newly discovered zero-day vulnerability in the Microsoft Support Diagnostic Tool. Users can disable the MSDT URL protocol.
By opening Windows Command Prompt as an administrator and then running reg delete HKEY_CLASSES_ROOT\ms-msdt /f, users can disable MSDT’s URL protocol† Microsoft recommends that you backup the registry key first, by running reg export HKEY_CLASSES_ROOT\ms-msdt filename. The workaround can then be undone with the command reg import filename and the auxiliary software can be started again.
Microsoft is publishing the advisory after a zero-day leak was found in the Microsoft Support Diagnostic Tool. The vulnerability concerns calling this tool by means of a URL, for example via a Word document. An attacker who exploits it could remotely execute arbitrary code with the privileges of the program that calls the URL protocol, such as the aforementioned Word. The vulnerability is labeled CVE-2022-30190 and affects Windows versions from Windows 7 through Windows 11 and Windows Server 2022.
Security researchers discovered the vulnerability over the past weekend and gave these the name Follina† It was suspected that it was an Office vulnerability, but according to Microsoft it concerns the way in which the URL protocol of MSDT is called within Windows. The researchers found a doc file with an https: URL that actually activated ms-msdt: with JavaScript code, and with it the diagnostic tool. Using the command line, attackers can thus launch the Program Compatibility Troubleshooter and simultaneously launch PowerShell scripts, such as downloading and launching malware.