itman 1,748 Posted June 1, 2022 Share Posted June 1, 2022 https://www.virustotal.com/gui/file/248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29/detection/f-248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29-1654083097 Important reference: https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/ Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 1, 2022 Author Share Posted June 1, 2022 (edited) My advice on this exploit is to do what Microsoft recommends: Quote Workarounds To disable the MSDT URL Protocol Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable: Run Command Prompt as Administrator. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“ Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”. How to undo the workaround Run Command Prompt as Administrator. To restore the registry key, execute the command “reg import filename” https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ Also, you can be infected by this exploit via a .rtf file download by any attempted access of the file. Also, MS Office Protected View protection is N/A in this instance. Therefore, the following must be done: Quote Disable preview in Windows Explorer If you have the preview pane enabled, you can: Open File Explorer. Click on View Tab. Click on Preview Pane to hide it. https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/ An example of how dangerous this exploit is shown below per the MalwareBytes article: Quote Researcher Kevin Beaumont provides the example where an attacker can send an email with this text as a hyperlink: ms-excel:ofv|u|https://blah.com/poc.xls And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious. Edited June 1, 2022 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted June 1, 2022 Administrators Share Posted June 1, 2022 1 hour ago, itman said: https://www.virustotal.com/gui/file/248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29/detection/f-248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29-1654083097 A detection was added at about 13:00 CEST, ie. will be released with the next update 25364. However, the url with a payload was blocked at about 12:45 CEST so users have been protected since then. We're going to make a minor change shortly which would allow a file like this to be detected earlier, independently of the engine update. Peter Randziak, TheStill, peteyt and 1 other 4 Link to comment Share on other sites More sharing options...
Recommended Posts