• MS-DEFCON 2: Zero days unpatched

    Home » Forums » Newsletter and Homepage topics » MS-DEFCON 2: Zero days unpatched

    Author
    Topic
    #2452107

    ISSUE 19.23.1 • 2022-06-09 By Susan Bradley Once again, we are faced with several zero days that are plaguing Office and Windows. Accordingly, I am ra
    [See the full post at: MS-DEFCON 2: Zero days unpatched]

    Susan Bradley Patch Lady

    3 users thanked author for this post.
    Viewing 11 reply threads
    Author
    Replies
    • #2452123

      Is there any guidance or acknowledgment by Microsoft of a vulnerability associated with the search protocol? So far, I’ve been unable to find a single thing from them.

      • #2452132

        It’s not quite the same though, is it? It doesn’t remotely execute code, but displays a customized file search result (potentially bogus). It could be used in phishing scams, but a user has to be conned into clicking a file listing.

        While this exploit is not as severe as the MS-MSDT remote code execution vulnerability, it could lead to abuse by industrious threat actors who want to create sophisticated phishing campaigns.

        Microsoft sent us the following statement when asked how they planned on resolving this issue.

        “This social engineering technique requires a user to run a malicious document and interact with a list of executables from an attacker specified network share. We recommend users practice safe computing habits and to only open files that come from trusted sources.” – a Microsoft spokesperson.

        New Windows Search zero-day added to Microsoft protocol nightmare

        Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

      • #2452299

        https://twitter.com/hackerfantastic/status/1531809205887328256

        I have not seen Microsoft acknowledge it.

        Susan Bradley Patch Lady

    • #2452133
      Defender and Malwarebytes  won’t allow this to run
      Delete ASR_Rules_PoSh_GUI_1.1.exe
      Problems with compiled exe. MS Defender recognizes this file as trojan.
    • #2452153

      Thanks for this BUT ….. Confused about nothing but – O’s – for Patches were applied / Apps Patched. What is supposed to happen and / or what’s needed from me?

       

      W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

    • #2452173

      Given that I have disabled Widows Search ever since Win 10 came out, I should be unaffected. Right or wrong?

      Peace, CAS

      • #2452181

        I doubt that would make any difference, but unless you’d fall for a phishing scam that looks something like this after a download then it doesn’t matter:

        Bogus file search 1

        Bogus file search 2

        Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

        1 user thanked author for this post.
        CAS
    • #2452180

      Susan talks about “blocking Office from creating child processes” using the config editor last fall  https://www.askwoody.com/newsletter/the-first-google-search-result-often-leads-to-a-virus/#on-security

      1 user thanked author for this post.
    • #2452206

      After the first alert for Follina ten days ago, I went into Regedit to see if I have that registry key HKEY_CLASSES_ROOT\ms-msdt. It was not in my registry, and I don’t remember ever doing anything previously to remove it. I have Windows 8.1 and 0Patch does not have a patch for 8.1, or at least they don’t have one yet. Could it be that this is a vulnerability that does not affect 8.1?

    • #2452241

      In today’s AskWoody Alert, I could not help but notice that the registry item mentioned for search is HKEY_CLASSES_ROOT\ms-search.  This is different from what was mentioned in the May 31 alert:  HKEY_CLASSES_ROOT\search-ms.   Turns out both versions are in Registry!

      Is the “ms-search” in today’s alert a typo, or was the original “search-ms” a typo?  Or, are we supposed to delete both of them?

      Last week, I used RegEdit to manually delete the search-ms entry (and the ms-msdt entry) from my Windows 10 pc (with version 21H2).  No ill effects have been observed since then.

      Finally, it should be noted that “search-ms” is also the version mentioned in these security blogs:

      https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/

      https://nakedsecurity.sophos.com/2022/06/02/yet-another-zero-day-sort-of-in-windows-search-url-handling/

       

       

      1 user thanked author for this post.
      b
    • #2452259

      Geo is convincing …. and I decided $2/Mo is worth it for Pro; Disabled Auto-Renew but am sure I will.

      1st-PRO-DASHBOARD-6-9-22

      W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

    • #2452446

      Virus Total scan has 22 of 64 virus scanners flagging the ASR gui tool as bad.  I alos got  a message from MalwareBytes the it is a virus. Do not know why, but would rather edit registry than trust the ASR tool.  Just my thoughts.

      1 user thanked author for this post.
    • #2452476

      Are there any unintended consequences for the incorrect registry delete command?

    • #2452508

      I DID have a hkey_root key “ms-search” that I deleted.

      I went back and restored the key and deleted the “search-ms” hkey_root one, but now (per above) I wonder what the other one was/is for?

      Or can I delete them both?

      Thanks,

      Chris

      (one little mis-type and so many questions… 😉

    • #2452701

      Susan, thanks for this. Motivated by your CSO Online post, as a start, I’m setting up a group policy to

      Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
      Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
      Block Office applications from injecting into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

      It’s hard for me to imagine a scenario in which any of these would ever be a good thing. I guess maybe if a customer were using custom Office scripts but 99% of small businesses won’t even know that is possible.

      As usual, this is a vast subject covered by half a dozen Microsoft articles. The most helpful, succinct resource is this test bed:  https://demo.wd.microsoft.com/Page/ASR. Too bad that’s going away in four days. Download the samples now! I was able to successfully test that child process creation is blocked.

      BTW your video talks about looking for 1122 events in Microsoft-Windows-Security-Mitigations/KernelMode. From this article, that log may have other relevant events (2-23, 260), but the 1121 and 1122 events are in Microsoft-Windows-Windows Defender/Operational or Microsoft-Windows-Windows Defender/WHC. My test threw 1121:

      Log Name: Microsoft-Windows-Windows Defender/Operational
      Source: Microsoft-Windows-Windows Defender
      Date: 6/11/2022 8:59:40 AM
      Event ID: 1121
      Task Category: None
      Level: Warning
      User: SYSTEM
      Description:
      Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
      For more information please contact your IT administrator.
      ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
      Detection time: 2022-06-11T15:59:40.180Z
      User: (unknown user)
      Path: \\SERVER\Reference\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm
      Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
      Target Commandline: 
      Parent Commandline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "M:\Reference\IT Admin\2022.06 - Windows Defender Attack Surface Reduction\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm" /o ""
      Involved File: 
      Inheritance Flags: 0x00000000
      Security intelligence Version: 1.367.1391.0
      Engine Version: 1.1.19200.6
      Product Version: 4.18.2203.5

       

    Viewing 11 reply threads
    Reply To: MS-DEFCON 2: Zero days unpatched

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: