Skip to main content

Microsoft Support Diagnostic Tool Vulnerability

Thumbnail

6 June 2022

Advisory - 01/02/22/065

BACKGROUND

A remote code execution (RCE) vulnerability CVE-2022-30190, known as "Follina", is affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.

 

IMPACT

  • The attacker can install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

 

RECOMMENDATIONS

Microsoft has released the following workarounds:

To disable the MSDT URL Protocol

  • Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Follow these steps to disable:
    • Run Command Prompt as Administrator.
    • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\msmsdt filename“
    • Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

 

How to undo the workaround

  • Run Command Prompt as Administrator.
  • To restore the registry key, execute the command “reg import filename”

 

Microsoft Defender Detections & Protections

Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “Block all Office applications from creating child processes” GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see ASR rule Block all Office applications from creating child processes.

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.851.0 or higher:

  • Trojan:Win32/Mesdetty.A (blocks msdt command line)
  • Trojan:Win32/Mesdetty.B (blocks msdt command line)
  • Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
  • Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
  • Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)

 

Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

  • Suspicious behavior by an Office application
  • Suspicious behavior by Msdt.exe