一、漏洞详情
近日监测到microsoft windows 支持诊断工具 (msdt) 远程代码执行漏洞 (cve-2022-30190) 在野利用。该漏洞允许未经身份验证的远程攻击者通过office文档发起钓鱼攻击,当用户点击打开文档时,实现执行任意代码。
cve-2022-30190:从word 等调用应用程序使用url协议调用 msdt 时存在远程执行代码漏洞。成功利用此漏洞的攻击者可以使用调用应用程序的权限执行任意代码。
攻击者可将远程模板注入到恶意office文件,当用户打开恶意office文档时,会自动加载远程模板中的恶意html文件,并通过’ms-msdt’执行恶意代码。当恶意文件保存为rtf格式时,无需打开文件,通过windows自带预览选项卡功能即可导致恶意代码执行。
建议受影响用户做好资产自查以及预防工作,以免遭受黑客攻击。
二、影响范围
windows server 2012 r2 (server core installation)
windows server 2012 r2
windows server 2012 (server core installation)
windows server 2012
windows server 2008 r2 for x64-based systems service pack 1 (server core installation)
windows server 2008 r2 for x64-based systems service pack 1
windows server 2008 for x64-based systems service pack 2 (server core installation)
windows server 2008 for x64-based systems service pack 2
windows server 2008 for 32-bit systems service pack 2 (server core installation)
windows server 2008 for 32-bit systems service pack 2
windows rt 8.1
windows 8.1 for x64-based systems
windows 8.1 for 32-bit systems
windows 7 for x64-based systems service pack 1
windows 7 for 32-bit systems service pack 1
windows server 2016 (server core installation)
windows server 2016
windows 10 version 1607 for x64-based systems
windows 10 version 1607 for 32-bit systems
windows 10 for x64-based systems
windows 10 for 32-bit systems
windows 10 version 21h2 for x64-based systems
windows 10 version 21h2 for arm64-based systems
windows 10 version 21h2 for 32-bit systems
windows 11 for arm64-based systems
windows 11 for x64-based systems
windows server, version 20h2 (server core installation)
windows 10 version 20h2 for arm64-based systems
windows 10 version 20h2 for 32-bit systems
windows 10 version 20h2 for x64-based systems
windows server 2022 azure edition core hotpatch
windows server 2022 (server core installation)
windows server 2022
windows 10 version 21h1 for 32-bit systems
windows 10 version 21h1 for arm64-based systems
windows 10 version 21h1 for x64-based systems
windows server 2019 (server core installation)
windows server 2019
windows 10 version 1809 for arm64-based systems
windows 10 version 1809 for x64-based systems
windows 10 version 1809 for 32-bit systems
三、修复建议
目前漏洞细节和利用代码已公开,官方暂无补丁,建议受影响用户谨慎访问来历不明的office文档,同时按照以下微软公告及时采取漏洞临时缓解措施,并密切关注后续的补丁更新情况。
缓解措施:禁用 msdt url 协议
禁用 msdt url 协议可防止故障排除程序作为链接启动,包括整个操作系统的链接。仍然可以使用“获取帮助”应用程序和系统设置中的其他或附加故障排除程序来访问故障排除程序。请按照以下步骤禁用:
1. 以管理员身份运行命令提示符。
2. 要备份注册表项,请执行命令“reg export hkey_classes_root\ms-msdt filename ”
3. 执行命令“reg delete hkey_classes_root\ms-msdt /f”。
