Yesterday we wrote about a zero-day vulnerability called Follina which allows for remote code execution on a victim’s computer. While the flow — tracked as CVE-2022-30190 — has been described as an Office vulnerability, it is really the result of a security issue with a component of Windows.
A problem exists in the Microsoft Windows Support Diagnostic Tool (MSDT) which is found in all supported versions of Windows, including Windows 11. The vulnerability has been billed as an Office vulnerability as using a malicious Word file is one of the easiest attack vectors to exploit the flaw. But what is worrying about the vulnerability, apart from the fact that Microsoft has not fixed it yet, is that the company was made aware of the fact that it was being actively exploited way back on April 12.
While Microsoft has provided a workaround to help protect against the vulnerability (disabling the MSDT URL protocol), it is not clear why the company has yet to produce a patch, nor why it took around seven weeks to acknowledge that the problem even exists.
It was the security team Shadow Chaser Group that contacted Microsoft about the vulnerability in mid-April, informing the company that it was being actively exploited in the wild. Over a week later, Microsoft responded saying that it did not believe it to be a security issue:
As you can see from the tweet, the reason for dismissing the “security flaw” was that the Microsoft Windows Support Diagnostic Tool requires a password.
But the company changed its mind quite dramatically, later saying that it was indeed a critical vulnerability (CVE-2022-30190).
Security researcher Kevin Beaumont investigated the vulnerability and found that a malicious Word document could be used to grab a remote HTML file and then use the MSProtocol URI scheme to execute potentially damaging and dangerous PowerShell commands.
Although Microsoft has provided details of a fairly non-disruptive workaround, questions remain. Why did it take so long to recognise that this really was a security issue, despite clear evidence of active exploitation? More importantly, given how much time has passed, how has Microsoft still not been able to produce a proper fix for the issue? Given that it affects all supported versions of Windows, the potential impact is colossal.
Image credit: Eric Glenn / Shutterstock