• Zero day in office – but don’t panic

    Home » Forums » Newsletter and Homepage topics » Zero day in office – but don’t panic

    Author
    Topic
    #2450160

    Microsoft Releases Workaround Guidance for MSDT “Follina”; Vulnerability 05/31/2022 11:11 AM EDT Original release date: May 31, 2022 Microsoft has rel
    [See the full post at: Zero day in office – but don’t panic]

    Susan Bradley Patch Lady

    9 users thanked author for this post.
    Viewing 24 reply threads
    Author
    Replies
    • #2450180

      If you have MS Office (any current version) on Windows – I might suggest taking some aggressively proactive prevention steps. (See Susan’s post above.)

      Two new factors:

      1) .LNK files are also able to call this vuln.

      2) Renaming a word document to .RTF can cause this vuln to trigger on file preview in File Explorer. No file opening needed.

       

      ~ Group "Weekend" ~

    • #2450198

      More generally speaking, how can I list and manage URI handlers in Windows?

    • #2450240

      The group policy solution cautions that if used the policy will disable a user’s ability to run .diagcab files.  So presumably this would impact those of us that depend on wushowhide.

      Does the registry fix have the same side effect?

      1 user thanked author for this post.
    • #2450288

      @Susan Bradley said:

      “Group policy fix – Just disable “Troubleshooting wizards” by GPO  see the location here:”

      Unless I’m missing something, this does not open to a GPO setting location or guidance.  Seems more like a registry location?

      Can someone provide the GPO location and setting value?

      Also, per @EricB’s question above, does the GPO setting interfere with wushowhide?

      Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)
      • #2450292

        https://www.windows-security.org/3976dadfa886f59530253645ab50ec61/configure-security-policy-for-scripted-diagnostics

        It is indeed a group policy setting.

        Policy path:

        System\Troubleshooting and Diagnostics\Scripted Diagnostics

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        • #2450307

          Thank you, I can follow that path.

          Question, if I am reading that path link properly, it appears that GPO setting is creating/setting a Registry entry that is different than the one you and MS are showing for a  manual registry entry.

          If so, why?

          Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)
        • #2450426

          @sb

          It is indeed a group policy setting.

          System\Troubleshooting and Diagnostics\Scripted Diagnostics

          I further just noticed that your original instructions said to disable “Troubleshooting wizards”,   this new link is to “Scripted Diagnostics”.

          Which GPO is it?   and

          Question, if I am reading that path link properly, it appears that GPO setting is creating/setting a Registry entry that is different than the one you and MS are showing for a manual registry entry. If so, why?

            and

          Also, per @EricB‘s question above, does the GPO setting interfere with wushowhide?

          Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)
          • #2450471

            I believe this is correct.

            Group Policy:
            Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Scripted Diagnostics\
            Troubleshooting: Allow users to access and run Troubleshooting Wizards = Disabled

            Registry:
            HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\
            EnableDiagnostics = 0

            3 users thanked author for this post.
            • #2450472

              Thanks for the clarification PK.

              Does the GPO setting interfere with wushowhide functioning properly? (I’m reluctant to experiment in the event it would trigger a download on hold).

              Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)
            • #2450474

              Sorry, haven’t tried it yet. Standby.

              EDIT:

              Answer is YES. I get “An error occurred while troubleshooting” and the explanation: “Troubleshooting has been disabled in Group Policy.”
              So I assume the Registry entry has the same effect if you don’t use GP.

              2 users thanked author for this post.
            • #2450477

              Answer is YES

            • #2450480

              That makes the GPO option useless for many of us.

              Looks like it’s the MS suggested registry edit or nothing pending an actual patch.

              (Or the Opatch item?)

              Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)
            • #2450630

              The GPO description does not have to match the actual registry key. GPO setting and manual registry will be the same key.
              Use whichever you find easier.

              cheers, Paul

            • #2450660

              Actually, they’re not the same.

              The GPO setting effects registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics

              The Microsoft “suggested” edit effects registry key HKCR\ms-msdt

              They also operate differently.

              The GPO setting prevents all .diagcab files from running.

              The “suggested” edit stops embedded code from remotely running the exploit but still allows .diagcab files (like wushowhide) to be run locally via Windows Explorer or a shortcut (see my #2450259 post.)

    • #2450294

      0patch Pro also just put out their micropatchs for Folina

      1 user thanked author for this post.
      • #2450308

        https://blog.0patch.com/

        by Mitja Kolsek, the 0patch Team

        …Our Micropatch

        It would be by far the simplest for us to just disable msdt.exe by patching it with a TerminateProcess() call. However, that would render Windows diagnostic wizardry inoperable, even for non-Office applications. Another option was to codify Microsoft’s recommendation into a patch, effectively disabling the ms-msdt: URL protocol handler.

        But when possible, we want to minimize our impact outside of removing the vulnerability, so we decided to place our patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a “$(” sequence – which is necessary for injecting a PowerShell subexpression. If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running…

        ** Much better solution than Microsoft’s workaround.
        Couldn’t the geniuses at Microsoft come with a similar solution ?

        2 users thanked author for this post.
    • #2450320

      That said if you do want to proactively protect yourself ….

      This MSDT exploit is also prevented (without disabling troubleshooting wizards) by the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” which you recommended to all Office users (with instructions for Pro and Home) in the AskWoody Plus Newsletter eight months ago:

      If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.

      Rapid Response: Microsoft Office RCE – “Follina” MSDT Attack

      Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

    • #2450359

      The “vulnerability exists when MSDT is called using the URL protocol from a calling application”
      To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ? What applications could call MSDT ? Is this likely to be one of those threats that in reality will only be used against organisations ?

      Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

    • #2450358

      I disabled it in GPO. When should I enable it again?

    • #2450383

      To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ?

      The hack can happen if you open/preview a Word document in LibreOffice, Windows explorer…

      1 user thanked author for this post.
      • #2450417

        LibreOffice does not have this bug as far as I can tell.

        Where have you found information confirming that the bug is present in LibreOffice?

        cheers, Paul

    • #2450403

      The post was updated on 6/1 to caution about abuse of the search protocol.  Is this a different exposure/exploit?  I haven’t seen anything from Microsoft about this and their guidance about msdt.exe has not been updated.

    • #2450407

      The post was updated on 6/1 to caution about abuse of the search protocol.  Is this a different exposure/exploit?

      This is a different method to utilize exposure/exploit

      https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/

      A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document.

      The security issue can be leveraged because Windows supports a URI protocol handler called ‘search-ms’ that allows applications and HTML links to launch customized searches on a device.

      While most Windows searches will look on the local device’s index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window…

      2 users thanked author for this post.
    • #2450481

      To what extent is this an issue for a standalone PC where the user runs a standard set-up with LibreOffice ?

      The hack can happen if you open/preview a Word document in LibreOffice, Windows explorer…

      0Patch : “it doesn’t matter which version of Office you have installed, or if you have Office installed at all. The vulnerability could also be exploited through other attack vectors. That is why we also patched Windows 7, where the ms-msdt: URL handler is not registered at all“.

      2 users thanked author for this post.
    • #2450501

      Very curious. Attempting to backup the ms-msdt entry results in an error message that it cannot be found and sure enough, it’s not listed in the registry. This is on a Win7 system by the way, does anyone else not see it? So to speak. Neither does the ScriptedDiagnostics entry exist for me but i just assumed that’s only for newer Windows versions. However, the search-ms entry is present in the correct location. It’s another reminder to not open anything one doesn’t recognise, same as it ever was.

      Edit: Actually, regarding ScriptedDiagnostics – i have had the troubleshooting wizard in action centre disabled for years so maybe that’s why it’s not listed.

      Edit2: I noticed a number of users over on the ArsTechnica article also don’t have the ms-msdt registry key – https://arstechnica.com/information-technology/2022/05/code-execution-0day-in-windows-has-been-under-active-exploit-for-7-weeks/

      Some saying the key only exists if Office is installed or specific versions of Office even though the software is present on the system. I have never had any version of Office installed so maybe that’s why.

    • #2450535

      Would disabling the Windows Search service be enough by itself to stop the search exploit?

      Or would the registry key still need to be removed as well?

      • #2450540

        Just tested this and, according to the info shown on beeping computer site on how to test this vulnerable, neither each one singularly nor both together actually stop it from happening!

        (i.e., search-ms:query=proc&crumb=location:??? still pops up an Explorer window showing the search results.)

         

      • #2450814

        Moonbeam, I disabled Win search when Win 10 was introduced. The registry key was removed.

        Peace, CAS

    • #2450574

      Anon 2 here. Win 10 Pro, 21H2 , GP edits as per this site, winshowhide. It appears from Bleeping article, that it impacts opening any doc saved as .word or .rtf. I use Libreoffice (no Office here). I must search, open & work on saved as .word docs.

      And the above replies suggest that neither GPO or reg “fix’  work. And mess with winshowhide. So what to do?

      Note: the 2nd ‘comment’ in bleeping article suggests a PC running a  ‘local admin’ acct as even more susceptible. My PC is set up as Local only. I have both local Admin and use a User account, except when installing programs.

      I post this for others further ref on this topic https://nakedsecurity.sophos.com/2022/05/31/mysterious-follina-zero-day-hole-in-office-what-to-do/

      No experience with Opatch. If I download and install, how to select & have it patch only this, or does it do all their patches? Can they be undone, program deleted after M/S gets it sorted without affecting o/s integrity? Any latest direction on steps?

    • #2450590

      Further fodder for the coffers, ( you are prob atop of this):

      ’search-ms’:  Remember that remote filenames aren’t as obvious as web links. “We won’t be surprised if other proprietary Windows URLs make the cybersecurity news over the next few days or weeks, pressed into service for devious or even directly destructive purposes by cybercriminals, or simply just uncovered by researchers trying to push the limits of the system as it stands.”  https://nakedsecurity.sophos.com/2022/06/02/yet-another-zero-day-sort-of-in-windows-search-url-handling/

      No ‘panic’, but what to do?

       

      • #2450592

        First off understand that this is a “get more rights” type of attack that will be more targeted than used in widespread attacks.  I would use the ASR rules

        “If utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.”

        Susan Bradley Patch Lady

        • #2450624

          First off understand that this is a “get more rights” type of attack that will be more targeted than used in widespread attacks. I would use the ASR rules…

          Hi Susan:

          I have a Win 10 Pro v21H2 OS and MS Office 2019 Home and Business C2R. Is the method described in your CSO article How to Use Windows Defender Attack Surface Reduction Rules the appropriate way to enable the “Block Office application from creating child processes” rule on my system, namely:

          • Open the Local Group Policy Editor [open a Run dialog box (Windows key + R) and enter gpedit.msc]
          • Go to Computer Configuration | Administrative Templates | Windows Components | Microsoft Defender Antivirus | Microsoft Defender Exploit Guard [or Windows Defender Exploit Guard (old name) | Attack Surface Reduction
          • Double-click on Configure Attack Surface Reduction Rules in right pane and change “Not Configured” to “Enabled”
          • Under Options, click the Show… button beside “Set the state for each ASR rule“.
          • Enter D4F940AB-401B-4EFC-AADC-AD5F3C50688A for the GUID and set the Value to “1” to block.

          Win-10-Pro-v21H2-Group-Policy-Editor-Attack-Surface-Reduction-Rules-03-Jun-2022

          Is there a simpler way to do this with Win 10 Pro (e.g., from Windows Security | App & Browser Control | Exploit Protection | Exploit Protection Settings | System Settings) that I haven’t figured out yet?  If not, is creating this this “Block Office application from creating child processes” ASR rule enough to block the MSDT “Follina” vulnerability until Microsoft releases a patch, or is the registry edit in Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability still recommended?

          I recall you discussing this Advanced Surface Reduction (ASR) rule several months ago in a  previous AskWoody article or newsletter but couldn’t find it today and just happened to stumble across your CSO article during a Google search.
          ———–
          Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1706 * Firefox v101.0.0 * Microsoft Defender v4.18.2203.5-1.1.19200.5 * Malwarebytes Premium v4.5.9.198-1.0.1689 * MS Office 2019 Home and Business Version 2205 (Build 15225.20204 Click-to-Run)

    • #2450597

      Just disable “Troubleshooting wizards” by GPO
      Execute the command “reg delete HKEY_CLASSES_ROOT\search-ms /f”..

      What next to disable / delete ? Windows OS ? /s

    • #2450628

      So is use the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”  still the best advice?

      FMI, what is the purpose of the  “/f ” at the end of the command?

      I assume you could also enter the registry and manually delete the key?

      Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)
    • #2450685

      So is use the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”  still the best advice?

      FMI, what is the purpose of the  “/f ” at the end of the command?

      I assume you could also enter the registry and manually delete the key?

      No.

      The best advice is to install 0Patch fix and retain ms-msdt / troubleshooting.

      https://www.askwoody.com/forums/topic/zero-day-in-office-but-dont-panic/#post-2450308

      3 users thanked author for this post.
      • #2450700

        Do you know if the free version will work on Win 10 Pro 21H2 with GP edits ie WU set to “2, and other GP stgs etc, winshowhide? Do you install via local admin acct or user? If thru admin, does that account have to be constantly logged in? Like you, I use Libreoffice, and use another non-Defender a/v. Pls advise, thank you.

      • #2450750

        0patch Pro has been turning out micro patch’s daily  for follina.

        1 user thanked author for this post.
    • #2450716

      I am confused. I don’t have the background knowledge to fill in the blanks about how these attacks work.

      Is this blog alert talking about two separate vulnerabilities that have no relationship to one another, i.e.,
      a) remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows.
      b) the abuse of URI (whatever that is) for search

      Or are they related? If if they are related, is there one fix for one of them and another fix for the other one? Or is there one fix for both of them?

      As for a) and “Troubleshooting wizards”, I often use a Troubleshooting wizard to diagnose my network connections when synchronizing my two machines via private network. Sometimes I think they are connected, but they aren’t, so this wizard diagnoses and fixes the problem. It looks like the “Troubleshooting wizards” solution is out for me, if I want to continue to be able to let a Troubleshooter diagnose and fix this network problem that occasionally occurs.

      I use WUSHOWHIDE (and @Alex5723, I don’t really want to figure out how to use WUMgr) and if I read the comments here, one of the fixes {either the GPO fix for a) or the fix for b)} prevents WUSHOWHIDE from working. I am not sure which of the vulnernabilities involves WUSHOWHIDE and if it is a), then do I understand that the GPO fix will interfere with WUSHOWHIDE, but the registry fix for a) will not?? And that the registry fix will also not interfere with “Troubleshooting wizards”?

      b’s suggestion to use the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” recommended by Susan for all Office users at October 11, 2021 Issue 18.39 won’t work for me, because as Susan says there, “You must also use Microsoft Defender as your default antivirus, because third-party antivirus solutions disable Defender — which in turn prevents ASR from being used.” I don’t use Defender as my default anti-virus, although at Settings | Update & Security | Windows Security | Virus & threat protection | Microsoft Defender Antivirus options, I have periodic scanning turned on and Microsoft Defender delivers updates to the WU queue periodicially (at least twice, sometimes 3 times a day), after which I download and install them (I have GP-2 download/install). So, I don’t really know if the using the MS Defender Attack Surface Defender rule wil work or not? Anybody want to weigh in on this aspect of using the ASR rule?

      Does the vulnerability (not sure if only one or the other or both would apply here) affect a user if the only Word files opened are ones created and opened on one’s device (i.e., the Word documents are all in-house, i.e., not downloaded from some other source, other than being synchronized on both of my devices, which involves copying from one device to the other)? And, if those in-house Word files are never located via a search, what about that? I might search for the folder they are in or use a link to a folder, but I never search for the file itself (and open it) because I have no filename ‘on the tip of my tongue’ to search for [the name has escaped me]).

      • #2450717

        b’s suggestion to use the Microsoft Defender Attack Surface Defender rule “Block Office applications from creating child processes” recommended by Susan for all Office users at October 11, 2021 Issue 18.39 won’t work for me, because as Susan says there, “You must also use Microsoft Defender as your default antivirus, because third-party antivirus solutions disable Defender — which in turn prevents ASR from being used.” I don’t use Defender as my default anti-virus, although at Settings | Update & Security | Windows Security | Virus & threat protection | Microsoft Defender Antivirus options, I have periodic scanning turned on and Microsoft Defender delivers updates to the WU queue periodicially (at least twice, sometimes 3 times a day), after which I download and install them (I have GP-2 download/install). So, I don’t really know if the using the MS Defender Attack Surface Defender rule wil work or not? Anybody want to weigh in on this aspect of using the ASR rule?

        Susan included “default” for good reason. Periodic scanning does not suffice for this purpose.

        Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

        1 user thanked author for this post.
    • #2450755

      Do you know if the free version will work on Win 10 Pro 21H2 with GP edits ie WU set to “2, and other GP stgs etc

      0Patch disregards your GP settings.

    • #2450775

      Is this blog alert talking about two separate vulnerabilities that have no relationship to one another

      Yes. One is via Word / RTF docs, the other is via search. There are separate workarounds / patches for each.

      cheers, Paul

      2 users thanked author for this post.
    • #2452575

      Just received the AskWoody Plus email about the typo of “ms-search” and the corrected “search-ms”. I ran the erroneous command “reg delete HKEY_CLASSES_ROOT\ms-search /f” and it completed without notification. Did that command actually delete something in the registry? If so, how to reverse that? (The .reg file provided to reverse things has “search-ms” rather than “ms-search”.)

      Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

    • #2452616

      I have Office 2010.  Is there anything I should do with respect to this vulnerability in view of the fact that Office 2010 is an older version of Office?

      P.S:   I realize that Office 2010 is no longer receiving any updates from Microsoft,  but I am signed up for 0Patch coverage for Office 2010.

      • #2452645

        Yes, the issue is with Windows, so all Office versions are affected.

        Your AV should have updates to catch these documents, but there is a risk that a preview might occur before your AV has scanned the file.
        If you don’t open/preview unknown/unexpected documents then you can’t be affected.

        cheers, Paul

        1 user thanked author for this post.
        L95
        • #2452937

          Paul T:    Thanks for your response.   I’m wondering do I need to even worry about this vulnerability in view of the fact that this seems to apply only to large enterprises (and I am not a large enterprise) ?   (See posting from Susan Bradley dated June 3rd which says “First off this threat is really more for large targeted enterprises.  It’s not an attack sequence being used against standalone machines.  Next if you ARE a large enterprise, then you should be doing several Attack surface reduction rules now like this “block office from ….”  ).   

          I will appreciate any response you can provide.

           

          • #2452994

            Any issue where opening a document triggers an infection is bad, m’kay.

            MS will patch this and your AV will catch anything that does slip through, so you do not need to worry about being affected.

            cheers, Paul

            1 user thanked author for this post.
            L95
    • #2457112

      If the registry edit workarounds were employed must the deleted data be restored to the registry before running the June 2022 updates now that the Defcon level has been changed to 3?

    Viewing 24 reply threads
    Reply To: Zero day in office – but don’t panic

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: