{"id":446572,"date":"2022-05-31T10:12:38","date_gmt":"2022-05-31T08:12:38","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=446572"},"modified":"2022-06-03T08:30:57","modified_gmt":"2022-06-03T06:30:57","slug":"microsoft-office-vulnerability-lets-attackers-execute-powershell-commands","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/446572-microsoft-office-vulnerability-lets-attackers-execute-powershell-commands.html","title":{"rendered":"Microsoft Office vulnerability lets attackers execute PowerShell commands"},"content":{"rendered":"<p>Security researchers have <strong><a href=\"https:\/\/twitter.com\/nao_sec\/status\/1530196847679401984\" target=\"_blank\" rel=\"noopener\">discovered<\/a><\/strong> a Microsoft Office zero-day vulnerability that lets attackers execute PowerShell commands via a Word document.<\/p>\n<p>The security flaw has been identified as CVE-2022-30190 and has a common vulnerability scoring system severity rating of 7.8 out of 10.<\/p>\n<p>Microsoft Office versions 2013, 2016, 2019, 2021, and Professional Plus editions are impacted.<\/p>\n<p>The vulnerability is exploited via malicious Word documents that use the Microsoft Diagnostic Tool (MSDT) to execute PowerShell commands.<\/p>\n<p>\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft stated.<\/p>\n<p>\u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d<\/p>\n<p>\u201cThe attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user\u2019s rights,\u201d Microsoft said.<\/p>\n<p>Microsoft credited the Shadow Chaser Group leader \u201cCrazymanArmy\u201d with reporting the flaw on 12 April 2022.<\/p>\n<p>The tech company released workaround guidance for the vulnerability on its <strong><a href=\"https:\/\/msrc-blog.microsoft.com\/2022\/05\/30\/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability\/\" target=\"_blank\" rel=\"noopener\">Microsoft Security Response Center blog<\/a><\/strong>.<\/p>\n<p>Alongside the workaround, Microsoft also advised users with affected machines to enable Microsoft Defender Antivirus\u2019s cloud-delivered protection and automatic sample submission.<\/p>\n<p>\u201cIf the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack,\u201d the company said.<\/p>\n<p>However, security researcher Kevin Beaumont <strong><a href=\"https:\/\/doublepulsar.com\/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e\" target=\"_blank\" rel=\"noopener\">noted<\/a><\/strong> that attackers could bypass Office\u2019s Protected View feature by changing the document to a Rich Text Format (RTF) file.<\/p>\n<p>\u201cProtected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer), let alone Protected View,\u201d Beaumont said.<\/p>\n<hr \/>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/hardware\/446516-online-pc-store-nailed-by-ombudsman-as-website-vanishes.html\">Online PC store nailed by ombudsman as website vanishes<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft and security researchers have alerted Office users of a critical security flaw that could put their devices at risk to attack.<\/p>\n","protected":false},"author":341094,"featured_media":446576,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[78704,6599,30110,58906],"class_list":["post-446572","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-kevin-beaumont","tag-microsoft-office","tag-microsoft-word","tag-powershell"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/446572"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341094"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=446572"}],"version-history":[{"count":2,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/446572\/revisions"}],"predecessor-version":[{"id":447156,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/446572\/revisions\/447156"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/446576"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=446572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=446572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=446572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}