Microsoft issues warning about RCE exploit in its Windows diagnostic tool

If you have ever contacted Microsoft Support directly about certain issues in your Windows or Windows Server system, you may have been directed to use the Microsoft Support Diagnostic Tool (MSDT). You can open it by typing msdt in Windows Run (Win R) and you will be asked to enter the password provided by your support representative. Once you enter this information, you'll be able to run some diagnostics and send the results directly to Microsoft for further analysis.

Microsoft has now released an advisory regarding a remote code execution (RCE) vulnerability that exists in MSDT. The security flaw affects nearly all supported versions of Windows and Windows Server, including Windows 7, 8.1, 10, 11, Windows Server 2008, 2012, 2016, 2019, and 2022.

The issue in question is being tracked under CVE-2022-30190 and has a high severity level. While Microsoft hasn't elaborated yet - possibly because the vulnerability has yet to be patched - it explains that RCE can occur when MSDT is called using a URL protocol from a calling application such as Microsoft Word.

An attacker would be able to run arbitrary code to view, delete, or change your files by calling the application's permissions. So, for example, if MSDT is called from Microsoft Word running with administrator rights, the attacker will gain the same administrator rights - which is obviously bad.

Currently, Microsoft recommends disabling MSDT via the following command that can be run in Command Prompt:

• Run Command Prompt as Administrator
• To back up your registration table entry, please execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt filename"
• Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f"

However, if you later find You'd rather take your chances, since MSDT is critical to your workflow, you can recover the workaround by following this process:

• Run Command Prompt as Administrator.
• To re-import the registry key, please execute the command "reg import filename"

For now, Microsoft is still working hard to fix it. It highlights that security vulnerabilities are being widely exploited, so it is important to enable cloud-provided protection and automated sample submission through Microsoft Defender. At the same time, Microsoft Defender for Endpoint customers should also configure policies to reduce the attack surface from Office application child processes.

The above is the detailed content of Microsoft issues warning about RCE exploit in its Windows diagnostic tool. For more information, please follow other related articles on the PHP Chinese website!