![]() What’s this MSDT or “Microsoft Support Diagnostic Tool”? msdt.exe is a tool provided by Microsoft that will collect information to send to Microsoft Support. The protocol schema is “ms-msdt:/“ (note the single slash!). This host, will be visited when you open the document (and activate the content). When you open the file, nothing is displayed (it seems like a blank document), but, looking at the document specs, you see something interesting: The document contains an external reference pointing to a malicious URL: But the one described here is interesting. We have to fight against VBA macros, XLS 4 macros, embedded payload, etc. Office documents have been a common way to drop malware into victims’ computers for a while. It started with a tweet from 1], who reported an interesting Word document. It was a long weekend for many European countries, and it's an off-day in the US, but we were aware of a new attack vector for Microsoft Office documents. Most recent update: May 30th 10:30pm EDT (May 31st 02:30 UTC) reflecting Microsoft's guidance. ![]() In case you are asked to brief management: We do have some PowerPoint slides to get you started. The workaround to disable the MSDT URL Protocol is now confirmed, and we do have a CVE number for the issue. Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability. Update: We now have an official blog post from Microsoft:
0 Comments
Leave a Reply. |