Actively Exploited Microsoft Office Security Flaw Has No Patch But Here’s A Workaround

source:  |  image:


Malware and virus threats are practically commonplace, even a daily occurrence for some users these days. Unfortunately for many users in the Microsoft ecosystem, leveraging popular Office applications is a common security attack vector for many of the ne’er-do-wells of the Internet.

In that regard, Microsoft‘s Security Response Center has issued guidance to help add preventative layers to a newly discovered critical vulnerability or error (CVE). Specifically labeled CVE-2022-30190 by Microsoft, the vulnerability does not use the previous vulnerable attack vector of macros. In fact, macros as an attack vector for malware has been mostly patched out in many recent versions of Office applications anyway.

What is obvious now is that this was not the only way to exploit Office productivity applications. Interestingly enough, the new security flaw is actually related to vulnerabilities in Microsoft Office, or, more specifically, Microsoft Defender in conjunction with Microsoft Office. The Microsoft Defender Support Tool, or MSDT, a specific subset of functionality included with Microsoft Defender, allows applications to open up a URL, known as the MSDT URL protocol. As it turns out, malware and virus designers can actually take advantage of this and trigger arbitrary code execution.

Arbitrary code execution, or ACE, is a method in which malware writers take advantage of exposed places in system memory allowing them to execute, in most cases, system level code. This code often will contain items such as installing or using other malware, collecting data, keyloggers, and even finding ways to copy itself, as many viruses will do. Twitter user Will Dormann has even helpfully provided a video on how this can be exploited.

So what can you do to prevent infection? It’s actually fairly straightforward. Microsoft’s own blog has the details that we’ll provide here as well.

The simplest method is to disable the MSDT URL Protocol. It’s simple enough to delete the registry key on the path HKEY_CLASSES_ROOT\ms-msdt. Of course, you should always be extremely careful modifying your registry and make a backup beforehand as well.

Anyone utilizing Microsoft Defender Antivirus can also turn on cloud-delivered protection and automatic sample submission. This should allow for Defender to detect this malware, as the patterns associated are already part of cloud-delivered threat mitigation resources.

Microsoft has also provided advice to sysadmins who use Microsoft Defender Antivirus as their endpoint protection. All these users have to do is enable the attack surface reduction rule BlockOfficeCreateProcessRule. This prevents Office from creating child processes on MSDT.

Hopefully most users are made aware of this well enough in advance to prevent any serious damage, though this vulnerability is still being actively exploited currently.