If you have directly contacted Microsoft customer support about some problems in windows or windows server system, you may not be unfamiliar with the official recommended MSDT support diagnostic tool According to the suggestions of Microsoft technical support, you can call the running window through the combination of winkey + R and enter MSDT to call the tool directly. At this time, the system will ask the user to enter the key mentioned by the support representative to run some diagnostics, and then submit the results directly to Microsoft for further analysis.
(from: Ms security response center ) The
Unfortunately, on Monday, Microsoft disclosed that there was a remote code execution (RCE) vulnerability in MSDT (cve-2022-30190 ) .
To make matters worse, the security vulnerability affected almost all supported windows And windows server versions - including Windows 7 / 8.1 / 10 / 11, and Windows Server 2008 / 2012 / 2016 / 2019 / 2022.
Although Microsoft has not given a detailed description (perhaps the repair has not been completed), the company explained that when Microsoft Word and other applications call MSDT through the URL protocol, the rce vulnerability is at risk of being exploited by attackers.
If successful, an attacker will be able to run arbitrary code and view, delete or change your files by invoking the privileges of the application.
cve-2022-30190 Considered a high-risk vulnerability
In response, Microsoft suggested that MSDT should be disabled when it is not necessary:
● run CMD command prompt as administrator;
● before formal operation, please remember to back up the registry (execute the command reg export hkeyu classesu root\ms MSDT filename);
● then confirm to execute the "reg delete hkeyu classes\u rootms MSDT /f" command.
If there is still a need to call MSDT diagnostic support tool in the future, you can also execute the following command to unseal it when necessary (it is recommended to wait for Microsoft to launch a formal patch):
● run CMD command prompt as administrator;
● execute the following command to restore the previously backed up registry file (reg import [filename ]).
At the same time, we strongly recommend that Windows users open Microsoft defender or other reliable third-party protection software, and allow automatic submission of suspected samples to the cloud.
As for enterprise administrators of Microsoft defender for endpoint, please also use appropriate configuration policies to reduce the number of office Attack surface of the application.