MS-DEFCON 2: Zero days unpatched

Topic

New Reply

ISSUE 19.23.1 • 2022-06-09 By Susan Bradley Once again, we are faced with several zero days that are plaguing Office and Windows. Accordingly, I am ra
[See the full post at: MS-DEFCON 2: Zero days unpatched]

Susan Bradley Patch Lady

3 users thanked author for this post.

lmacri, CAS, Mr. Austin

Reply | Quote

Replies

Is there any guidance or acknowledgment by Microsoft of a vulnerability associated with the search protocol? So far, I’ve been unable to find a single thing from them.

Reply | Quote

It’s not quite the same though, is it? It doesn’t remotely execute code, but displays a customized file search result (potentially bogus). It could be used in phishing scams, but a user has to be conned into clicking a file listing.

While this exploit is not as severe as the MS-MSDT remote code execution vulnerability, it could lead to abuse by industrious threat actors who want to create sophisticated phishing campaigns.
…
Microsoft sent us the following statement when asked how they planned on resolving this issue.

“This social engineering technique requires a user to run a malicious document and interact with a list of executables from an attacker specified network share. We recommend users practice safe computing habits and to only open files that come from trusted sources.” – a Microsoft spokesperson.

New Windows Search zero-day added to Microsoft protocol nightmare

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

Reply | Quote

https://twitter.com/hackerfantastic/status/1531809205887328256

I have not seen Microsoft acknowledge it.

Susan Bradley Patch Lady

Reply | Quote

Defender and Malwarebytes  won’t allow this to run

Delete ASR_Rules_PoSh_GUI_1.1.exe

Problems with compiled exe. MS Defender recognizes this file as trojan.

Reply | Quote

The next file listed on that page is version 1.0 which runs fine.

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

2 users thanked author for this post.

Mr. Austin, sheldon

Reply | Quote

Interesting – I believe it’s overreacting to the PowerShell commands and it’s really not malicious but I’m investigating.

https://twitter.com/SBSDiva/status/1534925414992207872

Susan Bradley Patch Lady

Reply | Quote

https://twitter.com/cyb3rops/status/1534940197078671360

Because it uses ps2exe it’s mistakenly flagged as a virus.

Susan Bradley Patch Lady

Reply | Quote

Can you please not post Twitter links – all I get is a sign up window over whatever I’m trying to read.

cheers, Paul

1 user thanked author for this post.

geekdom

Reply | Quote

Would it kill you to sign up, or open the link in an incognito/inprivate window?

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

Reply | Quote

I don’t do Twitter either.

2 users thanked author for this post.

Paul T, geekdom

Reply | Quote

That would require a twitter account.

cheers, Paul

Reply | Quote

I use twitter links because that’s the security researcher who’d rules they are using to flag the site as malicious when it’s not.  He has a very detailed explanation of what’s going on.

Sorry, but I have to use the resources where the info comes from.  You can lurk on twitter and not “do” twitter.  Askwoody, Woody and Kirsty are all on twitter and have been longer than me.

Thread by @cyb3rops on Thread Reader App – Thread Reader App

if I use that in addition, that should let you read the post.

Susan Bradley Patch Lady

1 user thanked author for this post.

ve2mrx

Reply | Quote

Threadreader is great, no more painful navigation of twitter.

I take it back, only seems to work if you have a specific thread / link.

RSS.app seems to work nicely. Bung in the URL of the person you want to read and away you go.

cheers, Paul

Reply | Quote

Paul it maybe your blocking s/w. If i disable nMatrix for the page I can see it. And yes I am not a Twit fan either.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Thanks for this BUT ….. Confused about nothing but – O’s – for Patches were applied / Apps Patched. What is supposed to happen and / or what’s needed from me?

 

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

Reply | Quote

If you recently installed it, give it time.  It will take some time to get the micro patch.

Susan Bradley Patch Lady

1 user thanked author for this post.

CraigS26

Reply | Quote

If your new to 0patch it takes awhile to show  the numbers after installing.  I highly recommend spending the 25 or 27 some dollars a year for Pro.

3 users thanked author for this post.

ve2mrx, LHiggins, CraigS26

Reply | Quote

Given that I have disabled Widows Search ever since Win 10 came out, I should be unaffected. Right or wrong?

Peace, CAS

Reply | Quote

I doubt that would make any difference, but unless you’d fall for a phishing scam that looks something like this after a download then it doesn’t matter:

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

1 user thanked author for this post.

CAS

Reply | Quote

Susan talks about “blocking Office from creating child processes” using the config editor last fall  https://www.askwoody.com/newsletter/the-first-google-search-result-often-leads-to-a-virus/#on-security

1 user thanked author for this post.

lmacri

Reply | Quote

After the first alert for Follina ten days ago, I went into Regedit to see if I have that registry key HKEY_CLASSES_ROOT\ms-msdt. It was not in my registry, and I don’t remember ever doing anything previously to remove it. I have Windows 8.1 and 0Patch does not have a patch for 8.1, or at least they don’t have one yet. Could it be that this is a vulnerability that does not affect 8.1?

Reply | Quote

Yes:

Q: What Windows versions require the workaround?

A: The MSDT URL protocol is available in Windows Server 2019 & Windows 10 version 1809 and later supported versions of Windows. The registry key mentioned in the workaround section will not exist in earlier supported versions of Windows, so the workaround is not required.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

1 user thanked author for this post.

Douglas

Reply | Quote

Thank you!

Reply | Quote

In today’s AskWoody Alert, I could not help but notice that the registry item mentioned for search is HKEY_CLASSES_ROOT\ms-search.  This is different from what was mentioned in the May 31 alert:  HKEY_CLASSES_ROOT\search-ms.   Turns out both versions are in Registry!

Is the “ms-search” in today’s alert a typo, or was the original “search-ms” a typo?  Or, are we supposed to delete both of them?

Last week, I used RegEdit to manually delete the search-ms entry (and the ms-msdt entry) from my Windows 10 pc (with version 21H2).  No ill effects have been observed since then.

Finally, it should be noted that “search-ms” is also the version mentioned in these security blogs:

https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/

https://nakedsecurity.sophos.com/2022/06/02/yet-another-zero-day-sort-of-in-windows-search-url-handling/

 

 

1 user thanked author for this post.

b

Reply | Quote

My apologies, somehow in writing the alert I flipped around the search-ms to ms-search.  Updated the alert on the site.

Susan Bradley Patch Lady

1 user thanked author for this post.

Hello_World_2019

Reply | Quote

Geo is convincing …. and I decided $2/Mo is worth it for Pro; Disabled Auto-Renew but am sure I will.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

Reply | Quote

Virus Total scan has 22 of 64 virus scanners flagging the ASR gui tool as bad.  I alos got  a message from MalwareBytes the it is a virus. Do not know why, but would rather edit registry than trust the ASR tool.  Just my thoughts.

1 user thanked author for this post.

Fred

Reply | Quote

It’s a false positive.

Twittertthread-2

Read the conversation regarding what’s going on.

Susan Bradley Patch Lady

Reply | Quote

Are there any unintended consequences for the incorrect registry delete command?

Reply | Quote

No as it doesn’t exist.

Susan Bradley Patch Lady

1 user thanked author for this post.

Richard C Algeni

Reply | Quote

That’s what I thought, but I wanted to be sure.

Thank you!!!

Reply | Quote

I DID have a hkey_root key “ms-search” that I deleted.

I went back and restored the key and deleted the “search-ms” hkey_root one, but now (per above) I wonder what the other one was/is for?

Or can I delete them both?

Thanks,

Chris

(one little mis-type and so many questions… 😉

Reply | Quote

Susan, thanks for this. Motivated by your CSO Online post, as a start, I’m setting up a group policy to

Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

It’s hard for me to imagine a scenario in which any of these would ever be a good thing. I guess maybe if a customer were using custom Office scripts but 99% of small businesses won’t even know that is possible.

As usual, this is a vast subject covered by half a dozen Microsoft articles. The most helpful, succinct resource is this test bed:  https://demo.wd.microsoft.com/Page/ASR. Too bad that’s going away in four days. Download the samples now! I was able to successfully test that child process creation is blocked.

BTW your video talks about looking for 1122 events in Microsoft-Windows-Security-Mitigations/KernelMode. From this article, that log may have other relevant events (2-23, 260), but the 1121 and 1122 events are in Microsoft-Windows-Windows Defender/Operational or Microsoft-Windows-Windows Defender/WHC. My test threw 1121:

Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 6/11/2022 8:59:40 AM
Event ID: 1121
Task Category: None
Level: Warning
User: SYSTEM
Description:
Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2022-06-11T15:59:40.180Z
User: (unknown user)
Path: \\SERVER\Reference\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm
Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: 
Parent Commandline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "M:\Reference\IT Admin\2022.06 - Windows Defender Attack Surface Reduction\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm" /o ""
Involved File: 
Inheritance Flags: 0x00000000
Security intelligence Version: 1.367.1391.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5

 

Reply | Quote