ISSUE 19.23.1 • 2022-06-09 By Susan Bradley Once again, we are faced with several zero days that are plaguing Office and Windows. Accordingly, I am ra
[See the full post at: MS-DEFCON 2: Zero days unpatched]
Susan Bradley Patch Lady
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
Home » Forums » Newsletter and Homepage topics » MS-DEFCON 2: Zero days unpatched
ISSUE 19.23.1 • 2022-06-09 By Susan Bradley Once again, we are faced with several zero days that are plaguing Office and Windows. Accordingly, I am ra
[See the full post at: MS-DEFCON 2: Zero days unpatched]
Susan Bradley Patch Lady
It’s not quite the same though, is it? It doesn’t remotely execute code, but displays a customized file search result (potentially bogus). It could be used in phishing scams, but a user has to be conned into clicking a file listing.
While this exploit is not as severe as the MS-MSDT remote code execution vulnerability, it could lead to abuse by industrious threat actors who want to create sophisticated phishing campaigns.
…
Microsoft sent us the following statement when asked how they planned on resolving this issue.“This social engineering technique requires a user to run a malicious document and interact with a list of executables from an attacker specified network share. We recommend users practice safe computing habits and to only open files that come from trusted sources.” – a Microsoft spokesperson.
New Windows Search zero-day added to Microsoft protocol nightmare
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
I use twitter links because that’s the security researcher who’d rules they are using to flag the site as malicious when it’s not. He has a very detailed explanation of what’s going on.
Sorry, but I have to use the resources where the info comes from. You can lurk on twitter and not “do” twitter. Askwoody, Woody and Kirsty are all on twitter and have been longer than me.
Thread by @cyb3rops on Thread Reader App – Thread Reader App
if I use that in addition, that should let you read the post.
Susan Bradley Patch Lady
Thanks for this BUT ….. Confused about nothing but – O’s – for Patches were applied / Apps Patched. What is supposed to happen and / or what’s needed from me?
W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0
Susan talks about “blocking Office from creating child processes” using the config editor last fall https://www.askwoody.com/newsletter/the-first-google-search-result-often-leads-to-a-virus/#on-security
After the first alert for Follina ten days ago, I went into Regedit to see if I have that registry key HKEY_CLASSES_ROOT\ms-msdt. It was not in my registry, and I don’t remember ever doing anything previously to remove it. I have Windows 8.1 and 0Patch does not have a patch for 8.1, or at least they don’t have one yet. Could it be that this is a vulnerability that does not affect 8.1?
Yes:
Q: What Windows versions require the workaround?
A: The MSDT URL protocol is available in Windows Server 2019 & Windows 10 version 1809 and later supported versions of Windows. The registry key mentioned in the workaround section will not exist in earlier supported versions of Windows, so the workaround is not required.
Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
In today’s AskWoody Alert, I could not help but notice that the registry item mentioned for search is HKEY_CLASSES_ROOT\ms-search. This is different from what was mentioned in the May 31 alert: HKEY_CLASSES_ROOT\search-ms. Turns out both versions are in Registry!
Is the “ms-search” in today’s alert a typo, or was the original “search-ms” a typo? Or, are we supposed to delete both of them?
Last week, I used RegEdit to manually delete the search-ms entry (and the ms-msdt entry) from my Windows 10 pc (with version 21H2). No ill effects have been observed since then.
Finally, it should be noted that “search-ms” is also the version mentioned in these security blogs:
Susan, thanks for this. Motivated by your CSO Online post, as a start, I’m setting up a group policy to
Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
It’s hard for me to imagine a scenario in which any of these would ever be a good thing. I guess maybe if a customer were using custom Office scripts but 99% of small businesses won’t even know that is possible.
As usual, this is a vast subject covered by half a dozen Microsoft articles. The most helpful, succinct resource is this test bed: https://demo.wd.microsoft.com/Page/ASR. Too bad that’s going away in four days. Download the samples now! I was able to successfully test that child process creation is blocked.
BTW your video talks about looking for 1122 events in Microsoft-Windows-Security-Mitigations/KernelMode. From this article, that log may have other relevant events (2-23, 260), but the 1121 and 1122 events are in Microsoft-Windows-Windows Defender/Operational or Microsoft-Windows-Windows Defender/WHC. My test threw 1121:
Log Name: Microsoft-Windows-Windows Defender/Operational Source: Microsoft-Windows-Windows Defender Date: 6/11/2022 8:59:40 AM Event ID: 1121 Task Category: None Level: Warning User: SYSTEM Description: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2022-06-11T15:59:40.180Z User: (unknown user) Path: \\SERVER\Reference\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: Parent Commandline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "M:\Reference\IT Admin\2022.06 - Windows Defender Attack Surface Reduction\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm" /o "" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.367.1391.0 Engine Version: 1.1.19200.6 Product Version: 4.18.2203.5
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.