Actively Exploited Microsoft Office Security Flaw Has No Patch But Here's A Workaround
In that regard, Microsoft's Security Response Center has issued guidance to help add preventative layers to a newly discovered critical vulnerability or error (CVE). Specifically labeled CVE-2022-30190 by Microsoft, the vulnerability does not use the previous vulnerable attack vector of macros. In fact, macros as an attack vector for malware has been mostly patched out in many recent versions of Office applications anyway.
What is obvious now is that this was not the only way to exploit Office productivity applications. Interestingly enough, the new security flaw is actually related to vulnerabilities in Microsoft Office, or, more specifically, Microsoft Defender in conjunction with Microsoft Office. The Microsoft Defender Support Tool, or MSDT, a specific subset of functionality included with Microsoft Defender, allows applications to open up a URL, known as the MSDT URL protocol. As it turns out, malware and virus designers can actually take advantage of this and trigger arbitrary code execution.
The important difference is that this variant still works.
— Will Dormann (@wdormann) May 30, 2022
Let's look at the preview pane attack vector, like we did for CVE-2021-40444 since that one is more fun. Protected View be damned!
Here is Office 2019 on Win10, both with May 2022 updates. pic.twitter.com/t20bTnZpxG
The simplest method is to disable the MSDT URL Protocol. It's simple enough to delete the registry key on the path HKEY_CLASSES_ROOT\ms-msdt. Of course, you should always be extremely careful modifying your registry and make a backup beforehand as well.
Anyone utilizing Microsoft Defender Antivirus can also turn on cloud-delivered protection and automatic sample submission. This should allow for Defender to detect this malware, as the patterns associated are already part of cloud-delivered threat mitigation resources.
Hopefully most users are made aware of this well enough in advance to prevent any serious damage, though this vulnerability is still being actively exploited currently.