A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.
The Microsoft Support Diagnostics Tool, or MSDT, is a utility built into Windows that's designed to collect information to send to Microsoft for analysis by support personnel, so they can help resolve problems. The exploit chain allows an attacker to use MSDT to execute arbitrary PowerShell code on a system, which they can use to download and execute malicious code.
The exploit can be triggered in multiple ways, including via the preview pane in Windows Explorer!
This vulnerability is believed to have been exploited as far back as April 2022.
Microsoft has already released a mitigation for this vulnerability by deleting the following registry key:
“reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
Coda Footprint covers this vulnerability and the associated RLE (Real Life Exploitation) in Footprint Agent version 5.9.7 and later. In order to see the vulnerability and the RLE you must have performed a scan after 31st of May 2022 with this agent version. This vulnerability will now be active on all Windows Systems.
If we are running the workaround the RLE will turn the status on this vulnerability to Fix Confirmed:
Exploit examples are already posted by different Security researchers:
Credits to nao_sec on Twitter :https://twitter.com/nao_sec/status/1530196847679401984?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1530196847679401984%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bankinfosecurity.com%2Fmicrosoft-office-attackers-injecting-code-via-zero-day-bug-a-19169