CVE-2022-30190: Microsoft Office Zero-Day Vulnerability Alert
A new zero-day vulnerability in Microsoft Office has been publicly revealed, allowing remote code execution on affected Windows systems. A Microsoft Office Zero-Day RCE issue was identified in the ms-msdt:// URI scheme to run the malicious payload, which was briefly leaked. Twitter user @buffaloverflow shares some info about this flaw.
Microsoft Support Diagnostics Tool (MSDT) is a tool that is used by Microsoft Support to diagnose Windows problems. You can use the Microsoft Support Diagnostic Tool to collect information about problems you might be experiencing with your computer. The tool can help Microsoft Support solve problems more efficiently than by diagnosing over the phone or by using e-mail.
— Rich Warren (@buffaloverflow) May 29, 2022
The vulnerability was spotted after an independent cybersecurity research team known as nao_sec uncovered a Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from an IP address in Belarus.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
An attacker can exploit this flaw by sending a malicious Office file to the victim and tricking the user to open it. “The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.”
Microsoft Office Zero-Day Vulnerability affects Office 2013, Office 2016, and Office 2021. “However, with the Insider and Current versions of Office I can’t get this to work — which suggests Microsoft have either tried to harden something, or tried to fix this vulnerability without documenting it. This appears to have happened around May 2022.” Beaumont explained.
The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS score. Microsoft writes:
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Microsoft fixes CVE-2022-30190 and releases additional guidance here.