As of 27 May 2022, researchers have been publishing details on how Windows protocol handlers can be abused for malicious purposes by referencing specially crafted Uniform Resource Locators (URLs). These issues affect all client and server versions of the Windows operating system, and there is no fix available at the time of reporting. Microsoft’s advisory provides some mitigation measures to prevent the exploitation of vulnerable systems.
Details
MSDT
On 30 May 2022, Microsoft released an advisory for a Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability, tracked as CVE-2022-30190. Prior to this, several researchers published proof-of-concept code for remote execution, referring to the issue as “Follina”.
MSDT is a utility used to troubleshoot and collect diagnostic data for analysis by Microsoft Support. According to Microsoft’s documentation, MSDT “invokes a troubleshooting pack at the command line or as part of an automated script and enables additional options without user input.”
Threat actors have been leveraging the MS- MSDT scheme to remotely execute arbitrary code on systems running various versions of Windows. The flaw abuses a Microsoft Office remote template feature to retrieve a HyperText Markup Language (HTML) file, which then uses MSDT to execute PowerShell code.
This technique can potentially be used with any application supporting MS Protocols. Researchers noted that Office, Outlook, and .lnk files have already been used in exploitation. A malicious actor requires minimal victim interaction and can achieve code execution when a calling application (an email or a document) is opened. They can then install programs, view, change, delete data, or create new accounts using the privileges of the calling application.
SEARCH-MS
On 1 June 2022, researchers reported another similar abuse method leveraging a URI protocol handler called SEARCH-MS, which is a Windows Saved Search file that enables applications and HTML links to search through the Windows operating system. The exploit combines a Microsoft Office OLEObject flaw with the protocol handler functionality issue to open a remote Search window simply by opening a Word document, leading to a Location Path Spoofing vulnerability.
By leveraging this method, a threat actor could force Windows Search to query file shares on remote hosts and use a custom title for the search window. When a user opens a Word document, it will automatically launch a SEARCH-MS command to open a Windows Search window. A threat actor could rename the executable to lure a victim into inadvertently installing the malware, e.g. “Security Update”, or include the SEARCH-MS URI in a phishing email. This second vulnerability is harder to exploit than the first one, as it requires more interaction from a victim user, who would have to open a document and click/run an executable.
Protection
Microsoft notes that Protected View and Application Guard for Office will alert users when a document is potentially malicious. However, when a Rich Text Format file (.rtf) is used, the code can run without opening the document, via the Preview Pane in Windows Explorer, if enabled.
Microsoft acknowledged the issue in its guidance for CVE-2022-30190 and is expected to fix the flaws in the protocol handlers and their underlying Windows features in an upcoming update. The company did not provide a date for the expected fix.
Clients with active blocking enabled in their Covalence monitoring are protected from this threat. Covalence continuously monitors the activity of Microsoft Office productivity software that may be susceptible to malicious documents or email attachments. Covalence detection for malicious PowerShell abuse via these protocol handlers was also in place prior to the May 2022 reports. Additionally, our teams have been applying the latest indicators of compromise and have added rules to detect and block additional aspects of this threat to ensure our clients and partners are robustly protected.
Recommendations
We recommend following Microsoft’s mitigation advice in the advisory referenced below. It requires disabling the MSDT URL protocol used to execute code on vulnerable systems, which can be done via Windows Group Policy Object (GPO).
We also recommend deleting the SEARCH-MS protocol handler from the Windows Registry, after you back up the registry key. The details on the mitigations are in the References section below.
Consider adding Attack Surface Reduction (ASR) rule: Block Office Application from Creating Child Processes. We recommend testing the rule in Audit mode before enabling it as it will allow you to evaluate how the ASR rule would impact your organization. See the references below for guidance on how to enable the rule.
Consider disabling the Preview Pane in File Explorer by clicking on View Tab and clicking on Preview Pane to hide it.
References
