Security Advisory: Microsoft Windows Support Diagnostic Tool (MSDT)
This security advisory has been updated with the latest patch update by Microsoft as of June 16 2022.
CVE number(s) | CVE-2022-30190
Affected products | Microsoft Windows Support Diagnostic Tool (MSDT)
Description of Vulnerability or Software Flaw
A zero-day Remote Code Execution (RCE) vulnerability exists within MSDT, which is a diagnostic tool used by the majority of Windows Operating Systems. This critical vulnerability is known to have been actively exploited and there is proof of concept code publicly available for it.
A threat actor is able to exploit this vulnerability by invoking MSDT using the URL protocol from a calling application such as Microsoft Word. A specially crafted file is able to exploit this vulnerability via the reading pane, meaning an unsuspecting user could fall victim to this without evening opening the file.
Identification and remediation
Microsoft has released a patch as part of their June security updates that remediates this vulnerability, so if your systems are up to date with Windows security updates then they should no longer be vulnerable to this. Further details on what patch version each operating system should be on are available in the “Security Updates” section of this Microsoft article:
If you disabled the MSDT URL protocol per the advice in version 1.0 of this advisory, the steps to undo this change are as follows:
1. Run Command Prompt as Administrator
2. To restore the registry key, execute the command “reg import filename”
Note that “filename” will be the name of the backup created while implementing the mitigation in version 1.0 of this advisory.
There are currently no patches available for this vulnerability; however, in the interim there is a mitigation that can be put in place by disabling the MSDT URL Protocol. Disabling MSDT URL protocol will prevent troubleshooters from being launched as links, which will reduce the actor vector. Even with the protocol disabled, troubleshooters will still be accessible using the Get Help application and in system settings as other or additional troubleshooters.
The steps to disable the MSDT URL Protocol are as follows:
1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
Loop recommends customers urgently update their Windows systems with the Microsoft June security patches as soon as possible to remediate this actively exploited vulnerability.
Loop recommends customers be extra vigilant when opening/viewing files received from external sources. Furthermore, if it is feasible for your organisation, Loop recommends implementing the above mitigation to reduce the actor vector for this vulnerability.