Current patch is to disable or delete access to MSDT altogether. Run CMD as Admin by pressing Windows key+X, then press A (if "Replace CMD with Powershell on right-click start button or Win+X" option is disabled under Settings>Personalization>Taskbar) - Export the key (to any directory, e.g. Desktop): reg export HKEY_CLASSES_ROOT\ms-msdt "%USERPROFILE%\Desktop egbackupmsdt.reg" - Delete the key: reg delete HKEY_CLASSES_ROOT\ms-msdt /f
It has been a year now and Bitdefender claims they improved real time protection features.. to be honest don't trust them nor the things they say. May you please upload a test of Bitdefender vs malware, and same for Kaspersky, thanks so much Leo.
Hi! Please can you make a tier list also for CPU Usage? Because some antiviruses really affect the performance!! For example which is more lightweight? Kaspersky / Bitdefender ? As they are one of the best ones
Once you gain connection to victims server, wouldn’t you have to disable win defender before running a payload with RATs and persistence? My guess is you’d need to do a bit of RCE prep through shell commAnds before hand. Not sure though, just a hobbyist myself
@@StudioHawaii ah. So the exploit actually hides through a compromised msdt function…and you use that as a vessel to execute payloads which will automatically bypass all security measures. I think I understand, will definitely look into this in more depth
@@StudioHawaii I think you misunderstood me. I said exploit acts as an msdt (Microsoft tool) so it bypasses security. So I agree, Microsoft will not check Microsoft.
According to the CVE page, it seems to say that if we use Defender with the cloud protection settings, this should already be protected against. Should I still use the workaround to disable MSDT if I don't really ever download Office docs or visit sketchy sites? EDIT: Guess this is null since MS rolled out a security patch today.
@@TheFPSPower I've been a Linux user for 20+ years and it has never been my dream to run MS Office. It's an expensive perpetual dumpster fire that has long since been supplanted by other office suites like Open Office or Libre Office. Both of those office suites have virtually identical feature sets and can even open, edit and save in MS Office formats. Even on Windows, I would never willingly use MS Office, especially now that MS doesn't want you to own software anymore, they want you to rent it. Who in their right mind would pay a monthly subscription for Office 365 when free open source software can do everything it can? You are completely out of touch with reality.
@@GGigabiteM Am I really out of touch with reality when most of those alternatives only provide good English support for type correction and even then it's nowhere near what Word can do? Or Excel, the standard for spreadsheets used in every business. Or when you can't even guarantee documents will look the same to other people without exporting to a PDF? It's true Microsoft prefers to sell you Office 365 but you can still buy a standalone licence with no issues. The first thing people are disappointed about when they try linux is not having Microsoft Office and that's the truth. Open source has gotten better in recent years, but still...
Sorry - I'll make my own answer. Advice faulty as it does not apply to Win7. "The MSDT URL protocol is available in Windows Server 2019 & Windows 10 version 1809 and later supported versions of Windows. The registry key mentioned in the workaround section will not exist in earlier supported versions of Windows, so the workaround is not required." HO humm.
good work, but if I have a local machine on a domain with a low privilege how to apply this on my own machine to give myself admin rights by just executing .exe file and escalating my privilege. thank you
So the main problem is with the URL handler and making your browser open a program while passing along a payload? That's if I'm understanding it correctly. Maybe we need some verification on URL handlers then? Something similar to SSL where the browser can check if the page trying to open a local app is verified in some way and warn the user that the site trying to open the link is dodgy.
This video is fine from educational point of view , BUT ..... for me as an end-user what interests me is what kind of reaction will i get from my antivirus when this thing is trying to exploit my system. I don't pay money for full licences in order to try to discover on myself what should i disable or not in every little program on my PC !! I'm not a software-analyst/expert , that's why i buy internet-security programs who most of them advertise themselves about their *A.I. capabilities , their real-time data protection* and all the rest ... So myself as an end-user what matters is if my internet security can kick-in and protect me from exploits such as this. There are hundreds(possibly thousands) malware out there ,it's not feasible for us to learn how each one works , but rather how much good protection an Internet Security program can provide us against all those threats. ---P.S. In this video you haven't even informed us whether Windows Defender was activated or not or if some other AV was installed ...
and thats the problem nowadays. noone wants to learn about smh everything has to work and if not i pay to let it work. dont wanna blame u or anything but even the best antivirus tool cant find everything because it has to learn the the things aswell. to sum up train yourself and if you wanna have something what can detect common or old malware buy an antivirus tool. hope u got my point have an awesome day/night.
@@oxideiscrazy no i can't get your point ,because just like i said , there can be thousands malware and even more software vulnerabilities , it's simply impossible for me to pay attention of them all. Let's take this one for example and let's say that my PC was one of the targets. In order for me to be protected , i should be allerted in order to watch this video ...the second it was uploaded in order to be fully prepared ... *IF* we assume that this video was uploaded just on time for this threat ( which is not the case , since ,afterwards , i noticed that there are other videos about this threat which are quite older and i didn't even knew about them ). So this video wasn't uploaded just on time in order for me to be protected just by watching this.( from what i've watched in other videos , *EVEN MS 's representative had doubted about this valnurability when 1st presented to them* !!! *it took time for MS themselves to acknowledge that this problem is severe* !! *so , with that in mind , what do you expect from me , - an end-user - ,to do* ?? !! And this is only an example . Imagine this scenario for the case i described above , being repeated for all those thousands vulnerabilities out there , it's impossible for me to track them all , that's why i have to rely to an Internet Security program . It's their line of job to be updated about those threats the moment they appear and enhance their Security software and they advertise them as such . So really , as i said , this video is fine just for educational purposes , but for all the end-users out there , the important thing is : can my AV notice this malicious behaviour and intervene ?? that's the practical question. and this channel have been doing such content for long time , so i expected to be informed from this aspect. ---P.S. Again , we weren't even told if Windows Defender or some other AV was activated during this vulnerability description/exploitation , something very essential in order to have a full picture about its actual severity ...
@@Sitharii i do get your point but thats impossible. How should the av detect something which is completely built of scrap. Sure they could detect some structures or code which is similar to other malware but srsly if i had the knowledge and wanna spread harm via malware i would double check everything so it will not be detected. We may have to accept that there is no 100% guarantee to be safe and If this is a problem you cant handle you shouldnt use your pc/ mobile/ etc.
@@oxideiscrazy As far as i can understand the way lot of of AVs work today , is by using a behaviour shield , meaning an incoming/outgoing traffic that the behaviour shield detects as unusual/malicious is being blocked. I've witnessed AVs doing that in some PCs in my work enviroment (i've said my experience in this channel quite some time ago ). Specifically i've seen Malwarebytes intercepting a threat that was trying to send outgoing information (don't ask me where , i don't have a clue ) and those outgoing attempts were being repeated every few seconds , but when i installed Malwarebytes in that PC i've watching it to *constantly &endlessly kept intervening and blocking those attempts* , so i've seen an AV in action and i believe that they have gone long way and they can detect a malicious behaviour pretty well. ---P.S. I know there is not 100% guarantee , that's why for many years i've been using several AVs and comparing them trying to figure out which one can give me the closest to that 100% guarantee .... that's the reason i started to watch this channel as well ...
can someone say what langueage is used for that ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????pls
If I don't click on any attachments/word documents, am I safe from this exploit? Or is there a way that attackers can gain access without me doing anything unsafe?
Even though they came out with the patch, i'm still curious, but most of the videos I been seeing about MSDT is with one that requires some kind of code and most of the exploiting is being done through email attachments, but wouldn't you still be in trouble using the microsoft troubleshooter in general (the one you find in control panel)? Cause, i'm sure they serve the same function (seen MSDT temp files everytime i've run it), so just wondering would you still be affected by the exploit if you used it at any point.
I tried to follow the regedit advice WIn7 64 Ultimate but I have no registry key ms-msdt anywhere, in fact no *msdt, but I do have some MSDTC If I run "MSDT" then it starts the tool The MS instructions are clear that theu apply to WIn7 as well as 10 and 11, so what next, please?
What's so funny? Most programs and games are created only for Windows. And the Microsoft office package gives 100% compatibility and confidence that the other person will have everything exactly the same as you have in the document. Anything is better than sitting on a penguin without a bunch of everything you need 🤣🤣🤣🤣
@@notimportant1542 No one is against penguins, but nothing to be proud of if you have a penguin OS installed. There are no less problems in it, they are just different.
@@yrmuq It's personal preference bro, but yeah I get that support on gnu/linux is not the best and not beginner friendly on some applications. It will be on par but it's a matter of when it's going to happen, also I want competition in the os space so supporting it will benefit us.
Current patch is to disable or delete access to MSDT altogether.
Run CMD as Admin by pressing Windows key+X, then press A (if "Replace CMD with Powershell on right-click start button or Win+X" option is disabled under Settings>Personalization>Taskbar)
- Export the key (to any directory, e.g. Desktop):
reg export HKEY_CLASSES_ROOT\ms-msdt "%USERPROFILE%\Desktop
egbackupmsdt.reg"
- Delete the key:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Thank's
Uploaded 57 seconds ago....sorry I'm late Leo....
Uploaded 22h hours ago… well I’m a little late x)
Uploaded 4days ago sorry leo
So MSDT is useful after all - unfortunately only to adversaries :D
U did not cover the rtf exploit where just clicking the file once and previewing in explorer would trigger msdt
It has been a year now and Bitdefender claims they improved real time protection features.. to be honest don't trust them nor the things they say. May you please upload a test of Bitdefender vs malware, and same for Kaspersky, thanks so much Leo.
Hi! Please can you make a tier list also for CPU Usage? Because some antiviruses really affect the performance!!
For example which is more lightweight? Kaspersky / Bitdefender ? As they are one of the best ones
I haven't used msoft office in nearly a decade, I don't need to, but this is good to know.
Once you gain connection to victims server, wouldn’t you have to disable win defender before running a payload with RATs and persistence?
My guess is you’d need to do a bit of RCE prep through shell commAnds before hand. Not sure though, just a hobbyist myself
sometimes yes. There are stealers currently that are almost fully undetected
its undetectable because its seen as system scripts instead of 3rd party scripts
@@StudioHawaii ah. So the exploit actually hides through a compromised msdt function…and you use that as a vessel to execute payloads which will automatically bypass all security measures. I think I understand, will definitely look into this in more depth
@@rufussthubbins8891 why would windows defender not trust micorsoft
@@StudioHawaii I think you misunderstood me. I said exploit acts as an msdt (Microsoft tool) so it bypasses security. So I agree, Microsoft will not check Microsoft.
The temporary fix is not to clcik on the Open button .
thank you for covering follina.
how do i disable the url handler
you meant removing the mdst tool name from the registry?
Good Video 👍
According to the CVE page, it seems to say that if we use Defender with the cloud protection settings, this should already be protected against. Should I still use the workaround to disable MSDT if I don't really ever download Office docs or visit sketchy sites?
EDIT: Guess this is null since MS rolled out a security patch today.
What happens if the infected Word document is opened in Windows by OpenOffice or LibreOffice? I guess the exploit does not work on Linux or Mac OS.
how can i run links inside virtual machine ? witout getting hacked .. just to test links
thank you sir :)
Aw shit, here we go again.
and how to disable url handler in windows 10?
That's why for office stuff I use Linux and always prefer open source softwares.
This is the worst statement I've ever heard when every linux user's dreams is having Microsoft's Office available on linux. For good reason.
@@TheFPSPower 100% wrong. This is one user that uses an open source office suite even on Windows
@@TheFPSPower I've been a Linux user for 20+ years and it has never been my dream to run MS Office. It's an expensive perpetual dumpster fire that has long since been supplanted by other office suites like Open Office or Libre Office. Both of those office suites have virtually identical feature sets and can even open, edit and save in MS Office formats.
Even on Windows, I would never willingly use MS Office, especially now that MS doesn't want you to own software anymore, they want you to rent it. Who in their right mind would pay a monthly subscription for Office 365 when free open source software can do everything it can?
You are completely out of touch with reality.
@@GGigabiteM Am I really out of touch with reality when most of those alternatives only provide good English support for type correction and even then it's nowhere near what Word can do?
Or Excel, the standard for spreadsheets used in every business.
Or when you can't even guarantee documents will look the same to other people without exporting to a PDF?
It's true Microsoft prefers to sell you Office 365 but you can still buy a standalone licence with no issues.
The first thing people are disappointed about when they try linux is not having Microsoft Office and that's the truth. Open source has gotten better in recent years, but still...
@@gzcwnk Yes me too using Libre on windows
Sorry - I'll make my own answer. Advice faulty as it does not apply to Win7.
"The MSDT URL protocol is available in Windows Server 2019 & Windows 10 version 1809 and later supported versions of Windows. The registry key mentioned in the workaround section will not exist in earlier supported versions of Windows, so the workaround is not required."
HO humm.
Was not there one linked to Note Pad - Sticky Notes etc a few days ago?
is there any risk of getting infected if i have an anti virus like kaspersky free?
If i have disabled remote access in settings, then wont this block it?
Where can I find a jigsaw sample I have almost every ransom that is well known I just need jig 🙏🙏
good work, but if I have a local machine on a domain with a low privilege how to apply this on my own machine to give myself admin rights by just executing .exe file and escalating my privilege. thank you
So the main problem is with the URL handler and making your browser open a program while passing along a payload? That's if I'm understanding it correctly. Maybe we need some verification on URL handlers then? Something similar to SSL where the browser can check if the page trying to open a local app is verified in some way and warn the user that the site trying to open the link is dodgy.
no problem we wont use office then
libre is better anyways
@@lilililiililili6363 Far from it.
And where on Micro$oft site can you find the fix / patch?
A request to evaluate “Fortinet EDR solution”
Can you demo Searchnightmare? The one against ms-search
Wouldn't a firewall stop attacks like these?
No. You can use payloads that allow remote control that can get around the firewall and NAT.
This video is fine from educational point of view , BUT .....
for me as an end-user what interests me is what kind of reaction will i get from my antivirus when this thing is trying to exploit my system.
I don't pay money for full licences in order to try to discover on myself what should i disable or not in every little program on my PC !!
I'm not a software-analyst/expert , that's why i buy internet-security programs who most of them advertise themselves about their *A.I. capabilities , their real-time data protection* and all the rest ...
So myself as an end-user what matters is if my internet security can kick-in and protect me from exploits such as this. There are hundreds(possibly thousands) malware out there ,it's not feasible for us to learn how each one works , but rather how much good protection an Internet Security program can provide us against all those threats.
---P.S. In this video you haven't even informed us whether Windows Defender was activated or not or if some other AV was installed ...
and thats the problem nowadays. noone wants to learn about smh everything has to work and if not i pay to let it work. dont wanna blame u or anything but even the best antivirus tool cant find everything because it has to learn the the things aswell. to sum up train yourself and if you wanna have something what can detect common or old malware buy an antivirus tool. hope u got my point have an awesome day/night.
@@oxideiscrazy no i can't get your point ,because just like i said , there can be thousands malware and even more software vulnerabilities , it's simply impossible for me to pay attention of them all.
Let's take this one for example and let's say that my PC was one of the targets.
In order for me to be protected , i should be allerted in order to watch this video ...the second it was uploaded in order to be fully prepared ... *IF* we assume that this video was uploaded just on time for this threat ( which is not the case , since ,afterwards , i noticed that there are other videos about this threat which are quite older and i didn't even knew about them ).
So this video wasn't uploaded just on time in order for me to be protected just by watching this.( from what i've watched in other videos , *EVEN MS 's representative had doubted about this valnurability when 1st presented to them* !!! *it took time for MS themselves to acknowledge that this problem is severe* !! *so , with that in mind , what do you expect from me , - an end-user - ,to do* ?? !!
And this is only an example . Imagine this scenario for the case i described above , being repeated for all those thousands vulnerabilities out there , it's impossible for me to track them all , that's why i have to rely to an Internet Security program .
It's their line of job to be updated about those threats the moment they appear and enhance their Security software and they advertise them as such .
So really , as i said , this video is fine just for educational purposes , but for all the end-users out there , the important thing is : can my AV notice this malicious behaviour and intervene ?? that's the practical question. and this channel have been doing such content for long time , so i expected to be informed from this aspect.
---P.S. Again , we weren't even told if Windows Defender or some other AV was activated during this vulnerability description/exploitation , something very essential in order to have a full picture about its actual severity ...
@@Sitharii i do get your point but thats impossible. How should the av detect something which is completely built of scrap. Sure they could detect some structures or code which is similar to other malware but srsly if i had the knowledge and wanna spread harm via malware i would double check everything so it will not be detected. We may have to accept that there is no 100% guarantee to be safe and If this is a problem you cant handle you shouldnt use your pc/ mobile/ etc.
@@oxideiscrazy As far as i can understand the way lot of of AVs work today , is by using a behaviour shield , meaning an incoming/outgoing traffic that the behaviour shield detects as unusual/malicious is being blocked.
I've witnessed AVs doing that in some PCs in my work enviroment (i've said my experience in this channel quite some time ago ).
Specifically i've seen Malwarebytes intercepting a threat that was trying to send outgoing information (don't ask me where , i don't have a clue ) and those outgoing attempts were being repeated every few seconds , but when i installed Malwarebytes in that PC i've watching it to *constantly &endlessly kept intervening and blocking those attempts* , so i've seen an AV in action and i believe that they have gone long way and they can detect a malicious behaviour pretty well.
---P.S. I know there is not 100% guarantee , that's why for many years i've been using several AVs and comparing them trying to figure out which one can give me the closest to that 100% guarantee .... that's the reason i started to watch this channel as well ...
@@Sitharii alright m8 anyways stay safe and have an awesome day.
URL Handler is very useful to me, I wouldn't gonna disable it. MS guys should find another way.
good morning
can someone say what langueage is used for that ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????pls
If I don't click on any attachments/word documents, am I safe from this exploit? Or is there a way that attackers can gain access without me doing anything unsafe?
When I try to backup the registry key it tells me that "the system was unable to find the specified registry key or value".
Cause you don't have MS Office.
@@Mario583a or using older system :D
Honestly, forget backing it up. Nobody would ever use a program that is now only known for being insecure. Delete it, flat out.
Even though they came out with the patch, i'm still curious, but most of the videos I been seeing about MSDT is with one that requires some kind of code and most of the exploiting is being done through email attachments, but wouldn't you still be in trouble using the microsoft troubleshooter in general (the one you find in control panel)? Cause, i'm sure they serve the same function (seen MSDT temp files everytime i've run it), so just wondering would you still be affected by the exploit if you used it at any point.
Hi what about tron script
I tried to follow the regedit advice WIn7 64 Ultimate
but I have no registry key ms-msdt anywhere, in fact no *msdt, but I do have some MSDTC
If I run "MSDT" then it starts the tool
The MS instructions are clear that theu apply to WIn7 as well as 10 and 11, so what next, please?
Thats totally different, MSDT are Microsoft Support Diagnostic Tool,
while the MSDTC are MicroSoft Distributed Transaction Coordinator
The registry keys do not exist on Windows versions earlier than windows 10, particularly 1809
Mahalo!
Somewhere in 2069th year: hey, I just hacked someone with recycle bin
Please sponsor tw1fa also I watch you a lot
👍
luckily i have never used word or powerpoint or anything like that lol
Why would u use anything named Microsoft 🤣
What's so funny? Most programs and games are created only for Windows. And the Microsoft office package gives 100% compatibility and confidence that the other person will have everything exactly the same as you have in the document. Anything is better than sitting on a penguin without a bunch of everything you need 🤣🤣🤣🤣
@@yrmuq Why are u guys anti gnu/linux?
@@notimportant1542 No one is against penguins, but nothing to be proud of if you have a penguin OS installed. There are no less problems in it, they are just different.
@@yrmuq It's personal preference bro, but yeah I get that support on gnu/linux is not the best and not beginner friendly on some applications. It will be on par but it's a matter of when it's going to happen, also I want competition in the os space so supporting it will benefit us.
Why would you use Linux if you're not a dev? It's a waste of an OS.
8th