Microsoft has shared mitigation for Microsoft Windows Support Diagnostic Tool remote code execution vulnerability. The vulnerability was reported by crazyman, from Shadow Chaser Group. The vulnerability, tracked as CVE-2022-30190, is being exploited in the wild. It allows attackers to execute malicious code remotely.

Impacts all Windows versions

The vulnerability is affecting all Windows versions, including Windows 7 and newer and Windows Server 2008 and newer. Security researchers stated that the vulnerability can be exploited to execute PowerShell commands via MSDT.

Microsoft stated that disabling the MSDT URL protocol prevents troubleshooters from being launched. To disable:

Run Command Prompt as Administrator . To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename “ Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

To undo the workaround

Run Command Prompt as Administrator . To back up the registry key, execute the command “reg import filename”

Microsoft also stated that customers with Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic sample submission. Customers of Microsoft Defender for Endpoint can enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:

Trojan:Win32/Mesdetty.A

Trojan:Win32/Mesdetty.B

Behavior:Win32/MesdettyLaunch.A

Behavior:Win32/MesdettyLaunch.B

Behavior:Win32/MesdettyLaunch.C