Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Microsoft has released a workaround for a zero-day flaw that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.

The remote control execution (RCE) flaw, tracked as CVE-2022-3019, is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company’s products and reports to Microsoft Support.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft explained in its guidance on the Microsoft Security Response Center. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

Microsoft’s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from Shadow Chaser Group noticed it on April 12 in a bachelor’s thesis from August 2020—with attackers apparently targeting Russian users–and reported to Microsoft on April 21, according to research firm Recorded Future’s The Record.

A Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said in a post on Twitter over the weekend, retweeting the original post about the vulnerability, also made on April 12, from @h2jazi.

When the flaw was reported, Microsoft didn’t consider it an issue. It’s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at Japanese security vendor Nao Sec, who tweeted a fresh warning about it over the weekend, noting that it was being used to target users in Belarus.

In analysis over the weekend noted security researcher Kevin Beaumont dubbed the vulnerability “Follina,” explaining the zero-day code references the Italy-based area code of Follina – 0438.

Current Workaround

While no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This “prevents troubleshooters being launched as links including links throughout the operating system,” the company wrote in their advisory.

To do this, users must follow these steps: Run “:Command Prompt** as Administrator****“**; Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“; and execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

“Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” the company said.

Moreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, “both of which prevent the current attack,” Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.

Microsoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.

Significant Risk

In the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.

One is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.

“Every organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,” Aviv Grafi, CTO and founder of security firm Votiro, wrote in an e-mail to Threatpost.

Another reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.

Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.

“What makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a ‘zero-click’ remote code execution technique used through MSDT,” Grafi concurred.

Under Active Attack

Claire Tills, senior research engineer for security firm Tenable, compared the flaw to last year’s zero-click MSHTML bug**,**tracked as CVE-2021-40444, which was pummeled by attackers, including the Ryuk ransomware gang.

“Given the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,” she wrote in an e-mail to Threatpost.

Indeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also tweeted that threat actors were using the flaw to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration.

What’s more, the workaround that Microsoft currently offers itself has issues and won’t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is”not friendly for admins” because it involves “changes in the Registry of the end user’s endpoints.”