Here is how to protect Windows PCs from Protocol vulnerabilities

Martin Brinkmann
Jun 2, 2022
Updated • Jun 3, 2022
Security
|
31

Two days ago, security researchers disclosed a vulnerability in the Microsoft Support Diagnostic Tool that affects all client and server versions of the Windows operating system.

The tool, designed as a tool to communicate with support, is built-in Windows by default. Microsoft confirmed the issue and published a support page to provide system administrators with information on the vulnerability.

The vulnerability exploits an issue in the protocol handling of the Windows operating system. An attacker may exploit it through applications that use the URL protocol to call the Microsoft Support Diagnostic Tool. Successful exploitation of the issue allows attackers to run arbitrary code with the same privileges as the application the attack originated from.

Attackers may use it to install or remove programs from Windows machines, delete or modify data, create new user accounts, access files, or make changes to the Windows Registry.

Microsoft's workaround for the Microsoft Support Diagnostic Tool vulnerability

delete msdt

Microsoft posted a workaround to reduce the attack surface of the vulnerability. The published workaround does not protect Windows systems completely, as it is still possible to access troubleshooters via the Get Help application and in the system settings.

Here is the official workaround:

  1. Open the Start Menu.
  2. Type Command Prompt.
  3. Select Run as administrator to launch an elevated command prompt window.
  4. Confirm the UAC prompt.
  5. Run the command reg export HKEY_CLASSES_ROOT\ms-msdt regbackupmsdt.reg to backup the ms-msdt key. The Registry file is saved to C:\Windows\System32 by default, but you may add another location in front of the regbackupmsdt.reg file name.
  6. Run the command reg delete HKEY_CLASSES_ROOT\ms-msdt /f to delete the key.

You may restore the key at any time by running reg import regbackupmsdt.reg from an elevated command prompt window. Note that you may need to specify the location of the Registry backup file if it is located elsewhere on the system.

Microsoft is asking that customers with Microsoft Defender Antivirus enable cloud-delivered protection and the automatic submission of samples in the application. Microsoft Defender for Endpoint customers may enable the attack surface reduction rule BlockOfficeCreateProcessRule to further protect systems. Enabling the rule blocks Office applications from creating child processes.

Microsoft Defender Antivirus 1.367.851.0 or higher offers detections and protections against possible exploits according to Microsoft:

Trojan:Win32/Mesdetty.A? (blocks msdt command line)
Trojan:Win32/Mesdetty.B? (blocks msdt command line)
Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)

A better workaround for the Microsoft Support Diagnostic Tool vulnerability

windows-disable troubleshooting wizards

Microsoft's workaround does not address the vulnerability completely on the system. While it may stop most attacks, it won't stop all of them as it is still possible to access troubleshooting wizards.

Benjamin Delpy published a better solution on Twitter that disables Troubleshooting Wizards on Windows using the Group Policy. (via Deskmodder)

Windows administrators may change the policy in the Group Policy Editor or by editing the Windows Registry directly.

Group Policy

disallow troubleshooting wizards

Note that the Group Policy Editor is only available in professional versions of the Windows operating system. You can check the version by opening the Settings application and going to System > About.

  1. Open the Start Menu.
  2. Type gpedit.msc and hit the Enter-key to launch the Group Policy Editor.
  3. Go to Computer Configuration > Administrative Templates > System > Troubleshooting and Diagnostics > Scripted Diagnostics
  4. Double-click on the policy Troubleshooting: Allow users to access and run Troubleshooting Wizards.
  5. Set the state of the policy to Disabled to block users of the system from launching troubleshooting tools.
  6. Select OK to complete the change.

The policy is supported on all Windows systems starting with Windows 7 on the client side and Windows Server 2008 R2 on the server side.

Note that this removes the user's option to run troubleshooters in the system. You may undo the change at any time by setting the state of the policy to Not Configured (default), or Enabled. System administrators may want to undo the change once Microsoft lands an official patch in a future update.

Registry Editor

scripteddiagnostics windows

Windows administrators may edit the Windows Registry to disallow the running of troubleshooting wizards on the system; this is the best option on Home systems, which do not support the Group Policy Editor, but some administrators may also prefer the editing of the Registry over the Group Policy.

  1. Open the Windows Start Menu.
  2. Type regedit.exe and hit the Enter-key; this opens the Windows Registry Editor.
  3. Confirm the UAC prompt.
  4. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics.
    1. It is possible that one or more of the listed keys do not exist. You may need to create the missing keys by right-clicking on the previous key and selecting New > Key from the context menu. Repeat the process until all keys are present.
  5. Right-click on ScriptedDiagnostics and select New > Dword (32-bit) Value.
  6. Name it EnableDiagnostics.
  7. Make sure the value is 0. If not, double-click on EnableDiagnostics and set the value of the Dword to 0.
  8. Close the Registry Editor window.
  9. Restart the Windows PC to apply the change.

To undo the change, right-click EnableDiagnostics in the Windows Registry Editor and select the Delete option. A restart is required to apply the change.

Windows Search protocol vulnerability

Another vulnerability in the handling of protocols on Windows was disclosed yesterday. The new vulnerability exploits an issue in the Windows Search protocol handler search-ms.

The new vulnerability, disclosed by Twitter user hackerfantastic.crypto, can be exploited to launch a Windows Search window automatically when an Office document is opened. The search window can display executable files on a remote SMB share using names such as Critical Updates to get users to install the malware.

Attackers may also take advantage of the Explorer preview pane and specially prepared RTF documents to launch the search window automatically when the document is rendered in the preview pane of the file manager.

The issue requires user interaction, but it could still lead to the infection of user systems if users are not careful about what they open on their devices.

Microsoft has not confirmed the new issue yet. Administrators may block it by deleting the search-ms protocol handler in the Windows Registry:

  1. Open the Start Menu.
  2. Type Command Prompt.
  3. Select Run as administrator to launch an elevated command prompt window.
  4. Confirm the UAC prompt.
  5. Run the command reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg to backup the Registry key.
  6. Run the command reg delete HKEY_CLASSES_ROOT\search-ms /f to delete the Registry key.
  7. Close the Registry Editor.
  8. Restart the PC.

To restore the functionality, run reg import search-ms.reg from an elevated command prompt window.

Summary
Here is how to protect Windows PCs from Protocol vulnerabilities
Article Name
Here is how to protect Windows PCs from Protocol vulnerabilities
Description
Instructions for Windows client and server administrators to protect Windows devices against protocol vulnerabilities.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Dr I said on June 7, 2022 at 9:40 am
    Reply

    According to updated information from Microsoft, the GPO work around is not sufficient to protect against this threat.

    https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

    Q: Is configuring the GPO setting Computer Configuration – Administrative Templates – System – Troubleshooting and Diagnostics – Microsoft Support Diagnostic Tool\”Troubleshooting: Allow users to access recommended troubleshooting for known problems” to “Disabled” another workaround?

    A: No, enabling or disabling this group policy has no effect on the vulnerable part of Troubleshooter functionality, so it is not a viable workaround.

    1. René Joram said on June 8, 2022 at 10:00 am
      Reply

      Ups, my comment was deleted. So again in short format:

      On

      https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

      there is another Q/A beneath the GPO Q/A.

      The question is (in my words), if blocking msdt.exe with Appcontrol-Tools will be ok. The answer is (in my words): Yes, but you are blocking too much. With the reg-key-solution you will only block the URL-Part of the msdt.

      In my opinion, the GPO-Solution will do the same as the AppControl-Solution. So in my opinion, it will work, but you block too much. The GPO Solution is recommended on many other IT-Blogs. I wonder, if Microsoft has answerdes this Question correctly.

    2. René Joram said on June 8, 2022 at 9:37 am
      Reply

      I think, that doesn’t make sense.
      In my opinion, both workarounds make the same: Blocking msdt.exe. Via GPO or via AppControl (Defender, Sophos Endpoint etc.)
      So if the answer to the second question is (in my own words): “Yes, it is working as a workaround, but you disable too much with the appcontrol, msdt.exe will no work anymore. With the regkey-solution, you will only block the URL-Part of msdt.”, this answer should also be the answer for the GPO-Question: “You can do it, but you will block too much”.

      A: No, this GPO does not provide protection against this vulnerability. “Interactive communication with support provider” is a special mode MSDT runs in when launched with no parameters which has no impact on MSDT support for URL protocol.

      Q: Is configuring the GPO setting Computer Configuration – Administrative Templates – System – Troubleshooting and Diagnostics – Microsoft Support Diagnostic Tool\”Troubleshooting: Allow users to access recommended troubleshooting for known problems” to “Disabled” another workaround?

      A: No, enabling or disabling this group policy has no effect on the vulnerable part of Troubleshooter functionality, so it is not a viable workaround.

      Q: Is blocking MSDT using technologies such as Windows Defender Application Control (WDAC) equivalent to removing MSDT handler “HKEY_CLASSES_ROOT\ms-msdt” a viable workaround?

      A: Blocking MSDT will prevent all MSDT-based Windows Troubleshooters from launching, such as the Network Troubleshooter, and the Printer Troubleshooter. The recommended workaround disables support for clicking on MSDT links and users can continue to use the familiar Windows Troubleshooters.

  2. Chris said on June 4, 2022 at 2:52 am
    Reply

    Switched to MacOs beginning of the year. None of this mess I have to deal with anymore.

      1. Mike said on June 4, 2022 at 10:01 am
        Reply

        Well, those have all been fully patched by Apple already; but nonetheless, macOS gets a constant flow of critical vulnerabilities, and the time to patch can be several months for a lot of them. The nasty part is that Apple generally doesn’t disclose exploits to its users until they complete mitigation, so if you don’t run some seriously legit endpoint protection on your Mac, then you wind up running for months oblivious to the fact that there are god knows how many critical exploits on your system, exposing you to the 25-50% of them being actively leveraged in the wild. Then when Apple rolls out an update with all the patches, if you read the release notes, you get to discover that every time you used Safari to view a PDF it could have allowed escalated Remote Code Execution or some other equally crippling impact for some equally menial task performed. Thanks Apple!

        At work, we run Jamf and MS Defender for Mac to protect client machines and we average something like 80 detections caught each month per Mac. That’s almost 3 a day, I don’t see it being possible for users on a Mac without A/V to not be infected/compromised to some extent at any given point.

        Thank god Microsoft discloses and acknowledges threats in near real time and provides a full break down of the exploits/malware/etc, and when possible offers guidance to mitigate threats to a degree until patched. I’m fairly certain Apple’s rationale behind not disclosing publicly their software’s active vulnerabilities is along the lines of…

        “Uh, duh. If we told users about every severe threat we find when we find it, and said to expect a fix in the coming months then nobody in their right mind would buy a Mac as their desktop/laptop, ever. What are you? Stupid?”

  3. yache said on June 3, 2022 at 5:02 pm
    Reply

    best I am wait the June monthly updates

  4. Anonymous said on June 3, 2022 at 8:03 am
    Reply

    How seriously should the average user take this security issue?

    How hard is it for criminals to take advantage of it?

  5. Anonymous said on June 3, 2022 at 5:33 am
    Reply

    Sigh! I just got through writing a long message to somebody explaining the good thing about Windows (flexibility) is also its Achilles heel. We go to great lengths to protect the heel and along comes Asteropaios and cuts the forearm.

  6. Zero Day Every Day said on June 2, 2022 at 10:06 pm
    Reply

    Apparently this has been actively used for almost two months already, but let’s not talk about that.

  7. Bobo said on June 2, 2022 at 10:03 pm
    Reply

    Blaa blaaaa blaaa, who cares. WHEN ARE WE GETTING STICKERS!!!!!!!!!!!????????

  8. TelV said on June 2, 2022 at 9:42 pm
    Reply

    @Martin,

    When you create a new DWord in the Registry it’s already set to 0 by default so no need to double click it.

    As regards the second vulnerability I don’t have Microsoft Office installed, but I do use the Viewer utility to view files like Excel. Would that be sufficient to enable the exploit?

    1. Martin Brinkmann said on June 3, 2022 at 5:51 am
      Reply

      Thanks, I corrected the instruction. As far as I understood it, the vulnerability is not limited to Office apps.

  9. ilev said on June 2, 2022 at 7:21 pm
    Reply

    The way to protect all Windows PCs is to install 0Patch fix.

    1. pHROZEN gHOST said on June 2, 2022 at 9:38 pm
      Reply

      That’s all well and good if you can be 100% certain that THEY don’t have issues with their software.

      1. ilev said on June 3, 2022 at 7:52 am
        Reply

        0Patch has never had issues with their software.
        They fix Windows OS better than Microsoft does.

    2. TelV said on June 2, 2022 at 9:19 pm
      Reply

      Windows 8.1 is not supported by the 0patch.

      In fact, 0Patch announced last year that due to the small number of systems running Windows 8.1 they don’t think it’s worth their while supporting it once Windows Extended Support expires on January 10 next year.

  10. John G. said on June 2, 2022 at 5:01 pm
    Reply

    Microsoft should be able to release urgent little fixes for these situations asap! :[

  11. Frustrated Grandmother said on June 2, 2022 at 4:58 pm
    Reply

    Wow, that’s a lot of leg work for Grandma and Grandpa.

    Just another reason why Windows is not ready for the desktop.

  12. Coriy said on June 2, 2022 at 4:55 pm
    Reply

    So when will a proper fix, rather than this complicated workaround be available? It’s about 12 days to patch Tuesday, or will this warrent an out-of-band update?

  13. pHROZEN gHOST said on June 2, 2022 at 3:18 pm
    Reply

    Another solution. Remove Windows and install Linux

    1. BogonIP said on June 12, 2022 at 3:22 am
      Reply

      How is that a Solution pHROZEN gHOST?

      No, it’s a Solution for yourself pHROZEN gHOST!

      Looks like you have Never worked in IT or even a IT Help Desk Position for that matter in your life.

      350+ Users and you’re the only IT Windows Admin at your Company and you’re the IT Support for the Company.

      And you want to switch from Windows 10 to Linux, just because you can’t fix the Problems or Issues?

      It’s better to let someone think you are an Idiot than to open your mouth and prove it pHROZEN gHOST!

    2. kalmly said on June 2, 2022 at 6:36 pm
      Reply

      Will do. As soon as Linux can offer me the plethora of software that Microsoft does.

      1. pHROZEN gHOST said on June 2, 2022 at 9:36 pm
        Reply

        For many of us life is more important than computers!

      2. Anonymous said on June 3, 2022 at 5:21 am
        Reply

        Then, since you use only Linux why are you wasting your time reading about Windows issues?

      3. Anonymous said on June 3, 2022 at 4:25 am
        Reply

        We’re all living in a simulation.

  14. Richard Allen said on June 2, 2022 at 3:04 pm
    Reply

    Wow, what a mess!

    This is another one of those times that I’m thankful to be running Win10 Pro! I’ve used the Group Policy Editor to disable the troubleshooting policy mentioned in the article.

    Martin…”You may undo the change at any time by setting the state of the policy to Disabled (default), or Enabled.” Should that instead be “Not Configured”?

    I have the Windows Search service disabled on my system, would that in any way help with the Windows Search protocol vulnerability? I suspect not but don’t really know.

    1. Richard Allen said on June 2, 2022 at 3:49 pm
      Reply

      I think I’ve answered my question about the Windows Search protocol vulnerability.

      I just saw an article on Bleeping Computer “New Windows Search zero-day added to Microsoft protocol nightmare”. Article says you can execute a command from a Run dialog or web browser address bar on Windows 7 thru 11. Both methods failed to run on my system! ;)

    2. Martin Brinkmann said on June 2, 2022 at 3:20 pm
      Reply

      Richard, thanks for spotting this. It should read “not configured”. I changed it.

  15. Mike said on June 2, 2022 at 1:35 pm
    Reply

    @Martin

    “Note that this removes the user’s option to run troubleshooters in the system. You may undo the change at any time by setting the state of the policy to Disabled (default), or Enabled.”

    I think you meant to say:

    “Note that this removes the user’s option to run troubleshooters in the system. You may undo the change at any time by setting the state of the policy to Not Configured (default), or Enabled.”

    1. Martin Brinkmann said on June 2, 2022 at 3:25 pm
      Reply

      Mike, that is right. Thank you for letting me know about it. I have edited the sentence.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.