New vulnerability in a Microsoft tool enables attacks using malicious Microsoft Office documents | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

New vulnerability in a Microsoft tool enables attacks using malicious Microsoft Office documents

June 1, 2022 at 14:01, updated June 15, 2022 at 12:32

A new zero-day vulnerability has been detected in the Microsoft Support Diagnostic Tool enabling remote code execution by using malicious Microsoft Word documents. Microsoft released a fix 14.6. that should be installed as soon as possible.

The vulnerability has been given the identifier CVE-2022-30190 and assigned a CVSS3 score of 7.8. The vulnerability can be exploited if the victim just previews a malicious document in Microsoft Explorer or opens a document that contains malicious code. Microsoft’s “Protected View” and “Application Guard” provide protection against the vulnerability.

Some malware detection tools can detect attempts to exploit the vulnerability. These include Microsoft Defender Antivirus and Microsoft Defender for Endpoint.

Exploitation of the vulnerability has already been detected, which means that great caution should be taken with documents received from unreliable sources until a patch has been installed.

 

Target of vulnerability

Microsoft Windows 7 and more recent versions up to Windows 11

Microsoft Windows Server 2008 and more recent versions up to Windows Server 2022

What is this about?

Microsoft: CVE-2022-30190
Microsoft: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
Huntress: Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack

Workstations and end-user applications

Vulnerabilities in workstations and in applications for ordinary users often concern a considerable amount of users. Target can be, for example, the Windows operating system or a word processor. The difference between server applications and end-user applications is sometimes indeterminate, for example the same operating system can be used both in the server and the workstation.

Servers and server applications

Vulnerabilities in servers and server software concern providers of electronic services, among others. Typical targets are operating systems of servers, as well as web or e-mail server software, such as SunOS, Linux, Apache, IIS or Sendmail.

Remote

A remotely performed attack can be implemented via an information network connection or similar without accessing the targeted system.

Locally

A locally performed attack can be implemented only by accessing the device under attack and using it locally. A local attack is not possible via a network connection.

Execution of arbitrary commands

A vulnerability that enables the execution of arbitrary commands must be considered serious because it means that the person utilising the vulnerability can use the targeted system just like an ordinary user of the system. It can also lead to that the attacker who has hacked into the system can via a network upload and execute own software in the system.

In the wild

Software update patch

Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.

Restriction of the problem

Although an actual vulnerability patch is not always available, the vulnerability's effects can usually be limited, for example, by temporarily refraining from the use of a certain feature or by restricting the network traffic to the target system in a suitable manner.

June 15, 2022 at 12:32 Microsoft released fix for the vulnerability 14.6.