Mitigate Microsoft Word MSDT Zero Day ASAP; GitHub Found Its Logs Had Some Passwords Stored in the Clear; Microsoft to Enforce Azure Active Directory Security Defaults

This is a significant vulnerability and underscores problems that likely exist in other protocol handlers (there are many). You can disable troubleshooting tools entirely by entering the following command, which mitigates the current attack: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics" /t REG_DWORD /v EnableDiagnostics /d 0 I'm doing an emergency webcast this Tuesday (today) at 5pm ET to discuss additional mitigations, detections, and just more information about the vulnerability itself. In the meantime, I've written a pretty in-depth blog on the topic here (including detection engineering): https://www.scythe.io/library/breaking-follina-msdt-vulnerability

Jake Williams

Microsoft assigned this vulnerability an "important" rating. However, this does not properly reflect the impact this vulnerability may have. Even with current counter measures (for example prompts to enable macros), malicious documents are very commonly used to gain access to networks for ransomware and other malware. This vulnerability bypasses all these protections and all it takes is opening or even just previewing an office document. While reasonable workarounds are available, a push to educate users should be included in your response.

Johannes Ullrich

Practitioner's note: With no patch available, the ISC offers (among other mitigations) that administrators can remove the ms-msdt:// URI scheme. This lives in HKEY_CLASSES_ROOT\ms-msdt in the registry and can be removed via Group Policy Object (GPO) or with PowerShell: Remove-Item -Path Registry::HKEY_CLASSES_ROOT\ms-msdt\ -Recurse -Force

Christopher Elgee

Microsoft have issued an advisory with some workarounds outlined in it [https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/] The recommendation from Microsoft is to disable the MSDT URL Protocol, however be aware some applications may not work as expected once implemented. However, should this happen you can always re-enable the MSDT URL Protocol on affected computers.

Brian Honan

Word protected mode does kick in to protect you some, but, if you save the malicious document as an RTF it can be executed via the document preview tab in Explorer - bypassing protected mode. The attack appears not to work on the Insider and Current versions of Office; your defense is going to be making sure that your systems running Office are keeping them updated.

Lee Neely

The investigation into the OAuth compromise found an unrelated exposure: some npm service logs stored in GitHub’s internal logging system contained plaintext credentials received in requests to npm services that should have been sanitized. This kind of “exposure hunting” is a good thing to do regularly, but taking advantage of a breach investigation to do so is a no-brainer.

John Pescatore

Plaintext passwords in logs is something we should all be making sure we don't capture, except for the user who puts their password into the username prompt. Like GitHub, if you discover passwords captured in logs, directly connect to those account holders and have them change the passwords _AFTER_ you make sure that you won't continue to capture plaintext passwords. This would be a good time to make sure users are enabling MFA. If you're concerned about your account being among the ones which were captured, change the password and verify 2FA is in place.

Lee Neely

There are basic security hygiene concepts that ought to be like fluoride in public water – should be the default for all services and should be implemented to be transparent and unalterable to provide a base level of protection. The 2% of use cases that need something different can be handled by exception, vs. put allowing the 98% of use to be put at risk because defaults were left unchanged. The users (even developers) are getting used to accepting this – take advantage.

John Pescatore

There are times when leaving the security to the customer to (finally) implement is as good as never implementing them. All service providers need to not only continue to raise the security bar commensurate with the current threat landscape, but also, ensure customers are notified and implement those improvements. Microsoft's conditional access allows you to have different security settings for trusted and untrusted devices and networks. You can enable the security defaults on your Microsoft 365 admin center.

Lee Neely

This aligns the US with the other 42 members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The latest revisions incorporated feedback provided to the October 2021 proposed final ruling. Essentially items under this rule must have proper licensing through the Department of Commerce before they can be used outside the country.

Lee Neely

This is mostly of interest to vendors selling products, but if you are using any of the tools on the list, worth checking to see if any potential spillover impact on your company’s global use of such products.

John Pescatore

While university network and student support services can be challenging, the recommended actions are doable. Make sure that you are segmenting; particularly research and back-end IT, monitoring, and aware of services exposed to the Internet. Seriously block SMB, RDP, FTP and other insecure protocols. Be aware of trust relationships, establish a process for these connections as well as verifying they remain appropriately secure. When looking at MFA, look to phishing resistant options.

Lee Neely

If you have any collaborative agreements with universities with VPN access involved, good idea to investigate impact.

John Pescatore

OAS is often used for data transfer in OT/ICS and IIoT environments. The flaws have CVE scores in the 9.1-9.4 range, can be used to conduct DOS attacks or even enumerate username/password pairs, RCE and other mischief. If you've got it in your environment, make sure you apply the update. If it's bundled with a larger package, get your vendor's update plans. Also make sure that you're following hardening guidelines, particularly segmentation and monitoring of connections to administration services and ports.

Lee Neely

"ChromeLoader" uses PowerShell on Windows, and a Bash script on the Mac and is distributed via an ISO claiming to be a hacked game image. The loader is used to install a browser plugin. Consider blocking or otherwise limiting use of ISO's downloaded from the Internet.

Lee Neely

The objections highlight important factors to consider when implementing incident reporting, make sure the reporting requirement is obtainable, understand how data is protected, as well as what data is required, some of which may necessitate updated NDAs. Also ensure that you can use machine-based reporting tools which allow you to leverage existing systems and processes.

Lee Neely