Overview
A new critical vulnerability in the ms-msdt protocol handler let attackers bypass security mechanisms to execute malicious code without user interaction. The vulnerability is currently being actively used in the wild by hackers with public proof of concept available since 27th May.
Thus far the vulnerability has been weaponized primarily for Word Documents. The exploit will function even without macros enabled. Furthermore, in Windows File Explorer, normally when hovering over a document a small preview will be displayed. In a crafted Follina RTF document this preview will run malicious code – no clicking involved!
The vulnerable msdt protocol handler is associated with Microsoft Support Diagnostic Tool (MSDT) and is used throughout the Windows operating system to launch troubleshooters.
Mitigate
The currently recommended mitigation from Microsoft until a proper patch is released is to disable the MSDT protocol. This will prevent troubleshooters from being launched outside the Get Help application.
Microsoft recommends applying the following mitigation steps:
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
Undo the mitigation
Run Command Prompt as Administrator.
To restore the registry key, execute the command “reg import filename”
References
https://twitter.com/nao_sec/status/1530196847679401984
https://0xsp.com/offensive/follina-cve-2022-30190-rtf/