Giveaway of the Day Forums

1. 

   mikiem2
   Moderator

   zdnet[.]com/article/this-zero-day-windows-flaw-opens-a-backdoor-to-hackers-via-microsoft-word-heres-how-to-fix-it/

   neowin[.]net/news/microsoft-issues-warning-about-rce-exploit-in-its-windows-diagnostic-tool/

   msrc-blog.microsoft[.]com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

   This vulnerability centers on the Microsoft Support Diagnostic Tool (MSDT):

   The Microsoft Support Diagnostic Tool (MSDT) collects information to send to Microsoft Support. Microsoft Support will then analyze this information and use it to determine the resolution to any problems that you may be experiencing on your computer.

   docs.microsoft[.]com/en-us/troubleshoot/sql/general/answers-questions-msdt

   The vulnerability was spotted over the weekend when a malicious Word doc was uploaded to Virus Total -- that doc was able to call up [start] the MSDT to run arbitrary code, IOW to do pretty much anything they want. It also works with RTF [Rich Text Format] files -- from what I've read there's no discussion of whether Microsoft Office apps need to be installed [it may be too soon as they're likely still testing].

   The workaround Microsoft advises is to delete the registry key: [HKEY_CLASSES_ROOT\ms-msdt] . They suggest backing up the key 1st so that it can be restored after a fix is available. You can export [save] the key & then delete it using Regedit -- right click the Start Button, click Run, type regedit in the box & click OK. In Regedit, navigate to the key, or use Edit -> Find, typing in ms-msdt, then right click the key to export or delete.

   If like me you have no plans to Ever run MSDT, you can easily delete the key by copy/pasting the following in a plain test file using Notepad -- name the saved file [SomeName].reg, then double click it to merge with the registry.

   Windows Registry Editor Version 5.00

   [-HKEY_CLASSES_ROOT\ms-msdt]

   Microsoft provides the following commands to be used with Windows Command Prompt -- you can also use Terminal if you prefer.

   To disable the MSDT URL Protocol

   Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

   Run Command Prompt as Administrator.
   To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
   Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

   How to undo the workaround

   Run Command Prompt as Administrator.
   To restore the registry key, execute the command “reg import filename”

   Posted 2 years ago #
2. 

   mikiem2
   Moderator

   theverge[.]com/2022/6/1/23150318/microsoft-office-china-hackers-exploiting-follina-vulnerability-tibet

   A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint.

   Details shared by Proofpoint on Twitter suggest that a hacking group labeled TA413 was using the vulnerability (named “Follina” by researchers) in malicious Word documents purported to be sent from the Central Tibetan Administration, the Tibetan government in exile based in Dharamsala, India. The TA413 group is an APT, or “advanced persistent threat,” actor believed to be linked to the Chinese government and has previously been observed targeting the Tibetan exile community.

   Posted 2 years ago #

RSS feed for this topic

Reply

You must log in to post.