RCE Vulnerability in Microsoft Windows Support Diagnostic Tool

Recently, a high severity remote code execution (RCE) vulnerability has been identified in the Microsoft Windows Support Diagnostic Tool (MSDT), a feature of Microsoft Windows. Currently, there is no patch to fix it. However, there is a way to mitigate it in the meantime.

It involves deleting the registry "HKEY_CLASSES_ROOT\ms-msdt".

Please refer to the below URL for more details:

Reference Articles

Sophos - https://news.sophos.com/en-us/2022/05/30/malicious-word-doc-taps-previously-unknown-microsoft-office-vulnerability/ 

Microsoft - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/  

Double Pulsar - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e 

Recommended Action

We’ve written a script to identify, backup the registry, and further delete the registry key named "HKEY_CLASSES_ROOT\ms-msdt". We recommend running this on all machines in your environment over the next few days effective in the next hour without a reboot and utilizing the patch reboot to take effect of settings.

We have created two procedures: "Reg Backup and Delete - MSDT URL Protocol" - It will find if the registry value exists, take the backup of the registry, delete the registry key, and update the custom field with results. Our other Procedure has an extra step for the reboot as this process requires a reboot to take complete effect.

Once remediated, it will update the custom field with the details.

If the script is blocked by AV it will update "Log Missing" in the CF. The script, log, data, and report are on each machine at our standard logging location.

Known Issues

No Issues were Reported.