Background
On May 27, 2022, nao_sec found a malicious Word document submitted to Virustotal from a Belarus IP address. The document was abusing MS-MSDT URI scheme to execute PowerShell within the context of Word bypassing local Office macro policies. Microsoft has since released protection guidance and assigned CVE-2022-30190 to this vulnerability.
What is the issue?
Malicious Word documents can use the remote template feature to fetch an HTML file from a remote server and the HTML code can use Microsoft's MS-MSDT URI protocol scheme to load additional code and execute PowerShell code.
For most malicious Office documents, users have to be convinced to click two separate prompts:
To exploit this vulnerability, the attacker just needs the user to open the office document. If a RTF file is used with this exploit, the same vulnerability can be exploited if the user just previews the RTF file using the preview pane in Windows Explorer.
According to Microsoft, “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights”.
What systems are impacted?
This vulnerability impacts all client and server platforms running the following versions of Windows operating systems.
What can you do to protect yourself?
You can block exploit attempts for CVE-2022-30190 by disabling the MSDT URL protocol which the threat actors abuse to launch troubleshooters and execute code on vulnerable systems. You are also advised to disable the Preview pane in Windows Explorer to prevent the exploit from executing when previewing malicious documents.
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
How to undo the workaround
Zscaler coverage
Advanced Threat Protection
Advanced Cloud Sandbox
Zscaler Advanced Cloud Sandbox would be able to classify and detect Word documents exploiting CVE-2022-30190 as malicious.
Our Cloud Sandbox Report for a Word document exploiting CVE-2022-30190 can be seen in Figure 1.
Fig 1: Sandbox Report for Docx file with CVE-2022-30190 exploit
Details related to the threat signatures released by Zscaler can be found in the Zscaler Threat Library.