Microsoft Office vulnerability lets attackers execute PowerShell commands

Security researchers have discovered a Microsoft Office zero-day vulnerability that lets attackers execute PowerShell commands via a Word document.

The security flaw has been identified as CVE-2022-30190 and has a common vulnerability scoring system severity rating of 7.8 out of 10.

Microsoft Office versions 2013, 2016, 2019, 2021, and Professional Plus editions are impacted.

The vulnerability is exploited via malicious Word documents that use the Microsoft Diagnostic Tool (MSDT) to execute PowerShell commands.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft stated.

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” Microsoft said.

Microsoft credited the Shadow Chaser Group leader “CrazymanArmy” with reporting the flaw on 12 April 2022.

The tech company released workaround guidance for the vulnerability on its Microsoft Security Response Center blog.

Alongside the workaround, Microsoft also advised users with affected machines to enable Microsoft Defender Antivirus’s cloud-delivered protection and automatic sample submission.

“If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack,” the company said.

However, security researcher Kevin Beaumont noted that attackers could bypass Office’s Protected View feature by changing the document to a Rich Text Format (RTF) file.

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer), let alone Protected View,” Beaumont said.

Now read: Online PC store nailed by ombudsman as website vanishes

Latest news

Partner Content

Show comments


Share this article
Microsoft Office vulnerability lets attackers execute PowerShell commands