Microsoft issued an announcement a few days ago, referring to the discovery of a zero-day vulnerability in Windows, users will be attacked as long as they preview Word files containing malicious code, allowing the attack to remotely execute the code, affecting all Windows versions of Penta. Although Microsoft has not yet released a correction file, it has proposed ways to mitigate the damage.
The vulnerability, numbered CVE-2022-30190, appears in the Microsoft Support Diagnostic Tool (MSDT), when a calling program such as Word uses the URL protocol to call MSDT, an attacker can use MSDT to execute malicious PowerShell Commands to execute arbitrary code with the permissions of the calling program, install programs, view, change or delete data, and even create new accounts on the computer. The most frightening thing is that even if the file is not opened, just the preview will be tricked.
Microsoft said that it has found effective vulnerability code to invade computers, and there are reports that Chinese hackers have begun to use this vulnerability to intrude, so it is recommended that you immediately use the temporary measures provided by Microsoft to avoid being killed.
According to Shadow Chaser Group, security experts had notified Microsoft as early as April 12, but Microsoft said on April 21 that it had not discovered the vulnerability. It wasn’t until a few days ago when experts publicly disclosed an example of an attack on this vulnerability on Twitter that Microsoft officially took action.
Temporary solution
- Open the Command Prompt as an administrator;
- first execute ” reg export HKEY_CLASSES_ROOTms-msdt filename ” (in this example, msdt-backup is the file name) to back up the original set value of the machine code;
- implement” reg delete HKEY_CLASSES_ROOTms-msdt /f ” delete the key;
- The window can be closed when finished. To make sure the new settings take effect, restart the computer.
How to restore the code
When Microsoft officially releases the correction file, you can restore the code with peace of mind:
- Open the Command Prompt as an administrator;
- implement” reg import filename ” (in this example, the filename is msdt-backup) to import the backup.
Microsoft Defender Antivirus detects vulnerabilities
In addition, Microsoft Defender Antivirus, if updated to 1.367.719.0, can also detect this vulnerability with the following signatures:
- Trojan:Win32/Mesdetty.A (Intercept MSDT command line commands)
- Trojan:Win32/Mesdetty.B (Intercept MSDT command line commands)
- Behavior:Win32/MesdettyLaunch.A!blk (stop programs that can call MSDT command-line commands)
Microsoft Defender for Endpoint also warns regarding this vulnerability.