Workaround for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

As already shared by @dips, Microsoft has issued a statement on a zero-day remote code execution flaw tagged CVE-2022-30190 concerning the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. Microsoft Security Response Center team has detailed this security flaw and its impact on certain versions of Windows and Windows Server.

These steps has been detailed on my blog via the following link. You do not need to visit it as all the steps are highlighted here as well. You will find interesting discussions on this topic in the link below.

What is MSDT? 

Microsoft Support Diagnostic Tool (MSDT) is a service in Windows 11/10/8 and 7 and also on Windows Server. The tool allows Microsoft support representatives to analyze diagnostic data and find a resolution to issues.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights. You can learn more about this vulnerability by clicking on this link.

Workaround

Pending when the updates will be released, Microsoft has provided a workaround to fix the remote code execution vulnerability in MSDT. Below are the steps to mitigate this flaw.

First of all, run Command Prompt with Administrator privileges.

2: Run the following command to back up the registry key: “reg export HKEY_CLASSES_ROOT\ms-msdt filename“

Note: The filename is the name you can give.

3: Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo this Workaround

If for some reason you wish to undo this workaround due to Microsoft providing a permanent fix such as a Windows update etc., the following steps below will help in undoing the changes applied.

Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename” 

Alternative Workaround - Disable “Troubleshooting wizards” by GPO

This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.

Computer Configuration/Policies/Administrative Templates/System/Troubleshooting and Diagnostics/Scripted Diagnostics

On the Troubleshooting: Allow users to access and run Troubleshooting Wizards policy, click on disabled

Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.

Microsoft Defender Detections & Protections

If use Microsoft Defender Antivirus, we could turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:

• Trojan:Win32/Mesdetty.A  (blocks msdt command line)
• Trojan:Win32/Mesdetty.B  (blocks msdt command line)
• Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line).

As discussed earlier, more information on this vulnerability and previous ones can be found on on my blog.