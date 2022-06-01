When we contact the Microsoft support service, in case it is required and depending on our problem, they can obtain all the information they need directly through the MSDT tool (Microsoft Support Diagnostic Tool). By providing this tool with the key given to us by the technical representative, we can run certain diagnostic tools and submit the information to Microsoft for analysis.

Although this tool can be very useful for the company to detect the problem that we have with our equipment, it can also can pose a serious risk to our security according to a new exploit detected. And it is that through a Microsoft blog post focused on security, they have offered information about a new method of remote code execution (RCE) that makes use of this tool.

A dangerous exploit still without a solution

Due to the wide availability of the diagnostic tool provided by Microsoft, the exploit is usable on a large number of company systemsincluding Windows 7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022. Tracked as CVE-2022-30190, this is a high-level security issue. Also, due to the few details that the company has offered, it is likely that the problem has not been patched yet.

The exploit appears to be exploitable through the URL protocol of the call from an application such as Microsoft Word. According to the company, the attacker who manages to take advantage of this vulnerability will be able to execute arbitrary code with the same privileges as the calling application. In this way, if Word were running with administrator privileges, this means that the attacker could obtain those same privileges.

From Microsoft have recommended disabling the MSDT tool through a series of simple steps until they find a solution to the problem. To disable it, we have to do the following:

Open Command Prompt as administrator

Run the command “reg export HKEY_CLASSES_ROOT\ms-msdt file name” (without quotation marks).

Run the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f” (without quotes).

In ‘file name’ we substitute the name that we want to give to the file to export the information of that record.

To revert the changes and have this tool again, we do the following:

Run Command Prompt as administrator

We execute the following command to restore the registry key: “reg import file name” (without quotation marks).

The company also recommends enable cloud-based protection and automatic sample submission and Windows Defender.