Re: [Assp-test] blocking new MS doc vunerability (URI attack vector)

Mon, 13 Jun 2022 00:54:29 -0700 

This is not possible because:

....
Note that the suspicious scheme ("ms-msdt:/") is not present in the 
document. It's present in the first stage payload that will be downloaded 
by Office. 
....
and
....
The document contains an external reference pointing to a malicious URL:
....

If the malicious URL is known, it can be detected by assp using URIBL.
Keep in mind that those malicious URL's can be generated and changed very 
quickly!

>Hopefully clamav will eventually catch it,

I don't think this is possible for every case. Also traditional AV 
scanners need to know all used malicious URL's. Only a behavior analysis 
of the document will be able to detect the malicious download and 
playload.


Solutions for CVE-2022-30190 are provided by Microsoft:

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Thomas



Von:    "K Post" <nntp.p...@gmail.com>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Datum:  31.05.2022 20:14
Betreff:        [Assp-test] blocking new MS doc vunerability (URI attack 
vector)



Hello Thomas,

Any way for ASSP to block this kind of thing?

https://isc.sans.edu/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme+CVE202230190/28694

Hopefully clamav will eventually catch it, but be nice great to be able 
strip documents off using AFC if they contain the URI protocol, just like 
we do for VBA code, etc.

Thanks_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






















					Reply via email to