Microsoft Office vulnerability could let hackers take over without users opening a document
A newly discovered zero-day vulnerability in Microsoft Office could allow hackers to take control of your computer, even if you don’t open an infected file. Infected documents use a Word template feature to retrieve an HTML file from a remote web server. This HTML file then loads and executes PowerShell code. PowerShell is a configuration management and task automation program for Windows that can be used to execute adminrative tasks.
The problem here is that Microsoft Word executes the malicious code via msdt, which is a support tool. If the malicious document is changed to a Rich Text Format, it runs without the document being opened via the preview tab in Windows File Explorer.
This vulnerability attracted the attention of security researcher Kevin Beaumont when it was not flagged Defender for Endpoint, an enterprise security solution from Microsoft.
In a blog post, Beaumont documents how he tested this vulnerability on various different computers and according to him, “it works more common than not.” It was shown to work on Windows 10 even with macros disabled and Microsoft Defender working. The vulnerability appeared to be exploitable using .RTF documents on all versions of Microsoft Office.Best of Express PremiumPremiumPremiumPremiumPremium
On May 30, Microsoft‘s Security Response Center acknowledged the vulnerability and while the company did not yet release a patch, it did l out some workarounds that could protect users’ PCs in the meanwhile.
🚨 Limited Time Offer | Express Premium with ad-lite for just Rs 2/ day 👉🏽 Click here to subscribe 🚨
The first workaround that it recommended was disabling the MSDT URL protocol. This prevents troubleshooters from being launched as links including links throughout the operating system. Even after disabling this, troubleshooters can still be accessed using the “Get Help” application and through system settings. Here is how you can disable the protocol:
Run Command Prompt from the Adminrator account
Back up your regry key executing the command reg export HKEY_CLASSES_ROOTms-msdt filename
Execute the command reg delete HKEY_CLASSES_ROOTms-msdt /f
Do note that this method requires a certain level of technical knowledge so that you would be able to restore the regry from the saved backup file after.
Thankfully, Microsoft has also mentioned a simpler workaround: to turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. Ideally, this would mean that Defender would use artificial intelligence and machine learning to identify and stop new and unknown threats.
