On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. On Tuesday June 14, 2022, Microsoft issued Windows updates to address this vulnerability. Microsoft recommends installing the updates as soon as possible.
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename”
Microsoft Defender Detections & Protections
Microsoft Defender Antivirus (MDAV)
Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.851.0 or higher:
- Trojan:Win32/Mesdetty.A (blocks msdt command line)
- Trojan:Win32/Mesdetty.B (blocks msdt command line)
- Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
- Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
- Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)
Customers with Microsoft Defender Antivirus (MDAV) should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Microsoft Defender for Endpoint (MDE)
Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:
- Suspicious behavior by an Office application
- Suspicious behavior by Msdt.exe
Customers of Microsoft Defender for Endpoint (MDE) can enable attack surface reduction rule “Block all Office applications from creating child processes” GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see ASR rule Block all Office applications from creating child processes.
Microsoft Defender for Office 365 (MDO)
Microsoft Defender for Office 365 provides detections and protection for emails containing malicious documents or URL used to exploit this vulnerability:
Q: Does Protected View and Application Guard for Office provide protection from this vulnerability?
A: If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.
- For information about Protected View, see What is Protected View?
- For information about Application Guard for Office, see Application Guard for Office.
Q: Is configuring the GPO setting Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\”Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider” to “Disabled” another workaround?
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\
Value Name: DisableQueryRemoteServer
A: No, this GPO does not provide protection against this vulnerability. “Interactive communication with support provider” is a special mode MSDT runs in when launched with no parameters which has no impact on MSDT support for URL protocol.
Q: Is configuring the GPO setting Computer Configuration – Administrative Templates – System – Troubleshooting and Diagnostics – Microsoft Support Diagnostic Tool\”Troubleshooting: Allow users to access recommended troubleshooting for known problems” to “Disabled” another workaround?
A: No, enabling or disabling this group policy has no effect on the vulnerable part of Troubleshooter functionality, so it is not a viable workaround.
Q: Is blocking MSDT using technologies such as Windows Defender Application Control (WDAC) equivalent to removing MSDT handler “HKEY_CLASSES_ROOT\ms-msdt” a viable workaround?
A: Blocking MSDT will prevent all MSDT-based Windows Troubleshooters from launching, such as the Network Troubleshooter, and the Printer Troubleshooter. The recommended workaround disables support for clicking on MSDT links and users can continue to use the familiar Windows Troubleshooters.
Q: What Windows versions require the workaround?
A: The MSDT URL protocol is available in Windows Server 2019 & Windows 10 version 1809 and later supported versions of Windows. The registry key mentioned in the workaround section will not exist in earlier supported versions of Windows, so the workaround is not required.
We will update CVE-2022-30190 with further information.
The MSRC Team
06/06/2022 – Added more FAQs.
06/07/2022 – Added one more question and answer.
06/07/2022 – Added additional detection information.
06/14/2022 – Announced updates that address the vulnerability.