To mitigate the ongoing exploitations of its Office zero-day bugs, Microsoft announced a mitigation plan for the vulnerable users.

This is by disabling the Microsoft Windows Support Diagnostic Tool (MSDT) URL protocol, which is used by attackers for executing arbitrary code remotely in victims’ systems. Microsoft also said that certain new Microsoft Defender versions will be able to spot the exploitations too.

Stopping Exploitations Against The Office Zero-day Bugs

We see zero-day bugs arising out of software products every now and then. Microsoft is no special, as the company’s products’ are infested with bugs regularly too. The latest one we hear is about the Office suite having a zero-day bug, found by a security researcher nao_sec.

Tracked as the CVE-2022-30190, this zero-day bug is concerned with Microsoft’s Windows Support Diagnostic Tool (MSDT), and lets successful attackers execute malicious PowerShell commands when opening or previewing Word documents!

Microsoft noted that “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” about this RCE bug.

And since exploitations of this bug started a month ago, Microsoft has now shared a mitigation plan to stop it, and safeguard vulnerable users. This is by disabling the MSDT URL protocol that let attackers execute malicious code remotely. Here’s how to do it;

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

And when Microsoft comes up with a working patch, users can undo this mitigation by running an elevated command prompt and executing the reg import filename command (filename is the name of the registry backup created when disabling the protocol).

The company also noted that its Defender Antivirus v1.367.719.0 or newer can even detect the possible exploitation of this zero-day bug under the following signatures:

Trojan:Win32/Mesdetty.A
Trojan:Win32/Mesdetty.B
Behavior:Win32/MesdettyLaunch.A
Behavior:Win32/MesdettyLaunch.B
Behavior:Win32/MesdettyLaunch.C

Thus, it’s advised to update your Microsoft Defender suite and apply the mitigation measure that the company suggested.

RECOMMENDED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here