A Zero-Day vulnerability in all supported versions of Windows has been actively exploited by threat actors for over a month, according to researchers for ArsTechnica.
On April 12, the Shadow Chaser Group shared on Twitter it reported the Microsoft Support Diagnostic Tool (MSDT) vulnerability to Microsoft as a Zero-Day that was already being exploited in the wild. Microsoft later informed the group that the Microsoft Security Response Center did not believe the reported exploit was a security vulnerability, as the diagnostic tool required a password before executing a payload.
However, Microsoft corrected itself earlier this week, sharing that the vulnerability CVE-2022-30190 was, in fact, a critical vulnerability after all. Microsoft's advisory said this:
"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights."
Now, Microsoft is offering a free unofficial patch to block ongoing attacks targeting the vulnerability, of which Microsoft also refers to as "Follina."
Security researchers report that threat actors who successfully exploit Follina can run arbitrary code and install programs, view, change, or delete data, as well as create new Windows accounts.
Microsoft has not yet issued security updates to address this Zero-Day, but it has shared mitigation techniques to block attacks by disabling the MSDT URL protocol malicious actors use to execute code on vulnerable systems.
Bleeping Computer discusses the 0patch micropatching service, which could come in handy for this recent exploit:
"Instead of disabling the MSDT URL protocol handler (as advised by Microsoft), 0patch has added sanitization of the user-provided path (currently missing in the Windows script) to avoid rendering the Windows diagnostic wizardry inoperable across the OS for all applications.
'Note that it doesn't matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through other attack vectors,' 0patch co-founder Mitja Kolsek said.
'That is why we also patched Windows 7, where the ms-msdt: URL handler is not registered at all.'
To deploy this micropatch on your Windows system (for free until Microsoft has issued an official fix), you must register a 0patch account and install the 0patch agent.
Once the agent is launched, it will automatically download and apply the patch unless local security policies prevent that."
0patch shared this video, as well:
Follow the SecureWorld News page for more cybersecurity related stories.