Here’s how to protect Windows PCs from protocol vulnerabilities

Posted on

Two days ago, security researchers revealed a vulnerability in the Microsoft Support Diagnostic Tool that affects all client and server versions of the Windows operating system.

The tool, designed as a tool for communicating with support, is built into Windows by default. Microsoft has confirmed the issue and published a support page to provide system administrators with information about the vulnerability.

The vulnerability exploits a problem in the protocol handling of the Windows operating system. An attacker can exploit it through applications that use the URL protocol to call the Microsoft Support Diagnostic Tool. Successful exploitation allows attackers to execute arbitrary code with the same privileges as the application causing the attack.

Attackers can use it to install or remove programs on Windows machines, delete or modify data, create new user accounts, access files, or make changes to the Windows registry.

Microsoft Workaround for Microsoft Support Diagnostic Tool Vulnerability

remove msdt

Microsoft job a workaround to reduce the attack surface of the vulnerability. The published workaround does not fully protect Windows systems, as troubleshooters can still be accessed through the Get Help app and in System Settings.

Here is the official workaround:

  1. Open the Start menu.
  2. Type command prompt.
  3. Select Run as administrator to launch an elevated command prompt window.
  4. Confirm the UAC prompt.
  5. Run the command reg export HKEY_CLASSES_ROOTms-msdt regbackupmsdt.reg to back up the ms-msdt key. The registry file is saved in C:WindowsSystem32 by default, but you can add another location in front of the filename regbackupmsdt.reg.
  6. Run the command reg delete HKEY_CLASSES_ROOTms-msdt /f to delete the key.

You can restore the key at any time by running reg import regbackupmsdt.reg from an elevated command prompt window. Note that you may need to specify the location of the registry backup file if it is elsewhere on the system.

Microsoft is asking customers with Microsoft Defender Antivirus to enable cloud-delivered protection and automatic sample submission in the app. Microsoft Defender for Endpoint customers can enable the BlockOfficeCreateProcessRule attack surface reduction rule to better protect systems. Enabling the rule prevents Office applications from creating child processes.

Microsoft Defender Antivirus 1.367.851.0 or higher offers detections and protections against possible exploits according to Microsoft:

Trojan:Win32/Mesdetty.A? (blocks msdt command line)
Trojan:Win32/Mesdetty.B? (blocks msdt command line)
Behavior: Win32/MesdettyLaunch.A!blk (terminates the process that launched the msdt command line)
Trojan:Win32/MesdettyScript.A (to detect HTML files containing suspicious msdt command being removed)
Trojan:Win32/MesdettyScript.B (to detect HTML files containing suspicious msdt command being removed)

A Better Workaround for Microsoft Support Diagnostic Tool Vulnerability

windows turn off troubleshooting wizards

Microsoft’s workaround does not completely resolve the vulnerability on the system. Although it can stop most attacks, it won’t stop them all because troubleshooting wizards can still be accessed.

Benjamin Depy published a better solution on Twitter that disables troubleshooting assistants on Windows using Group Policy. (Going through desktop modifier)

Windows administrators can edit the policy in the Group Policy Editor or by editing the Windows Registry directly.

Group Policy

ban troubleshooting assistants

Note that the Group Policy Editor is only available in professional versions of the Windows operating system. You can check the version by opening the Settings app and going to System > About.

  1. Open the Start menu.
  2. Type gpedit.msc and press Enter key to launch the Group Policy Editor.
  3. Navigate to Computer Configuration > Administrative Templates > System > Troubleshooting & Diagnostics > Scripted Diagnostics
  4. Double-click the Troubleshooting: Allow users to access and run troubleshooting wizards policy.
  5. Set the policy status to Disabled to prevent system users from launching troubleshooting tools.
  6. Select OK to complete the edit.

The policy is supported on all Windows systems starting with Windows 7 on the client side and Windows Server 2008 R2 on the server side.

Note that this removes the user’s option to run troubleshooters in the system. You can undo the change at any time by changing the policy status to Not Configured (default) or Enabled. System admins may want to revert the change once Microsoft rolls out an official fix in a future update.

Registry Editor

scripted diagnostic windows

Windows administrators can modify the Windows registry to disallow running troubleshooting wizards on the system; This is the best option on home systems, which do not support Group Policy Editor, but some administrators may also prefer Registry editing to Group Policy.

  1. Open the Windows Start menu.
  2. Type regedit.exe and press the Enter key; this opens the Windows Registry Editor.
  3. Confirm the UAC prompt.
  4. Navigate to ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsScriptedDiagnostics.
    1. It is possible that one or more of the listed keys does not exist. You may need to create the missing keys by right-clicking the previous key and selecting New > Key from the context menu. Repeat the process until all keys are present.
  5. Right-click ScriptedDiagnostics and select New > Dword (32-bit) Value.
  6. Name it EnableDiagnostics.
  7. Make sure the value is 0. Otherwise, double-click EnableDiagnostics and set the Dword value to 0.
  8. Close the Registry Editor window.
  9. Restart the Windows PC to apply the change.

To undo the change, right-click EnableDiagnostics in the Windows Registry Editor and select the Delete option. A reboot is required to apply the change.

Windows Search Protocol Vulnerability

Another vulnerability in protocol handling on Windows was disclosed yesterday. The new vulnerability exploits an issue in the Windows search-ms search protocol handler.

The new vulnerability, disclosed by Twitter user hackerfantastic.crypto, can be exploited to automatically launch a Windows search window when an Office document is opened. The search window may show executable files on a remote SMB share using names such as Critical Updates to trick users into installing the malware.

Attackers can also take advantage of Explorer’s preview pane and specially prepared RTF documents to automatically launch the search window when the document is rendered in the file manager’s preview pane.

The problem requires user interaction, but it can still lead to infection of users’ systems if users are not careful what they open on their devices.

Microsoft has not yet confirmed the new issue. Administrators can block it by deleting the search-ms protocol handler in the Windows registry:

  1. Open the Start menu.
  2. Type command prompt.
  3. Select Run as administrator to launch an elevated command prompt window.
  4. Confirm the UAC prompt.
  5. Run the command reg export HKEY_CLASSES_ROOTsearch-ms search-ms.reg to back up the registry key.
  6. Run the command reg remove HKEY_CLASSES_ROOTsearch-ms /f to delete the registry key.
  7. Close Registry Editor.
  8. Restart the PC.

To restore functionality, run reg import search-ms.reg from an elevated command prompt window.

Summary

Here's how to protect Windows PCs from protocol vulnerabilities

Article name

Here’s how to protect Windows PCs from protocol vulnerabilities

The description

Instructions for Windows client and server administrators to protect Windows devices from protocol vulnerabilities.

Author

Martin Brinkman

Editor

Ghacks Technology News

Logo

Advertising

Leave a Reply

Your email address will not be published.