A zero-click vulnerability in Microsoft Office was discovered over the weekend. This vulnerability was reported to Microsoft in April by a researcher.
Claire Tills, senior research engineer at Tenable, comments:
“Over the weekend, security researchers began discussing a zero-day remote code execution (RCE) vulnerability that can be exploited through Microsoft Office documents, a prime attack vector. On Monday, Microsoft released some official details regarding CVE-2022-30190, indicating that the RCE vulnerability affects Microsoft Windows Diagnostic Tools, but did not release any patches. Microsoft has issued a mitigation recommendation.
The RCE appears to have been exploited as early as April and only recently gained wide public attention following a researcher began examining a malicious sample on VirusTotal. Over the weekend, several researchers reproduced the issue and found it to be a ‘zero-click’ exploit, meaning no user interaction is required. Given the similarities between CVE-2022-30190 and CVE-2021-40444 and the assumption that other protocol handlers may also be vulnerable, we expect further development and exploitation of this vulnerability.
Since this is a zero-click exploit, there’s not much the individual user can do, but a healthy dose of skepticism is very helpful. Users should always be suspicious of attachments from untrusted sources.”