Microsoft Word “Zero Day, Zero Click” Vulnerability

A remote code execution security flaw in Microsoft Office has been detected and is reported as being exploited in the wild. The U.S. National Vulnerability Database has assigned it the identity CVE-2022-30190 and scored its severity as “7.8 High”. The flaw is known to exist in all versions of Microsoft Windows from 7 through 11, and with all released security patches installed. Microsoft has not yet released a patch to correct the vulnerability.

The vulnerability exploits one of Microsoft’s typically stupid “features” in which a Microsoft Word document can fetch a “remote template” from an external Web server via a specified URI. The attack document specifies a URI with scheme of “ms-msdt://”, which causes commands to be sent to another stupid Microsoft “feature” called the Microsoft Support Diagnostics Tool, which can be caused to execute stupid “PowerShell” commands with the user’s privilege.

What is particularly nasty about this flaw is that a user does not even have to open the document to trigger it. Simply viewing an RTF file containing the exploit with Windows Explorer (the stupid file browser, not the stupid Internet browser) with the stupid preview mode enabled (which is the default) is enough to trigger the exploit. This happens even if the user has completely disabled macros in Microsoft Word.

The Hacker News has details of the exploit and systems affected: “Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild”. Here is a more technical detailed analysis by, “Rapid Response: Microsoft Office RCE — ‘Follina’ MSDT Attack”. Here is Microsoft’s “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability”. Fourmilab’s guidance remains “Don’t allow any Microsoft garbage in your shop.”


There goes another layer of my feeling of modest safety using my computer. I practice pretty good use-hygiene when it comes to what I click. Now, I learn that there exist “zero click” vulnerabilities! I use Brave browser and search, a VPN, Proton for mail. If I could find a computer condom, I would wear it for all internet penetrations - though who knows the practices of those who lust after penetrating my little nook of cyber space.


I have been using Apache OpenOffice apps for over a decade now, and apps work better (in my opinion) than Microsoft’s current office which I use at work because it is the company standard. At home my family uses Apache.

Does anyone know the logic of Microsoft removing menu’s and replacing them with Microsoft Ribbon ???

Is Microsoft Ribbon, the polite name for a “Microsoft Zero UI” ?


This is virtually abandonware. The LibreOffice project forked OpenOffice about 12 years ago, and more than 90% of the developers went with the LibreOffice fork.

The disparity remains. OpenOffice hasn’t kept up. It should never be recommended by anyone who cares about security.


Here is a description of the vulnerability from Mental Outlaw, noting that Microsoft has known about it since at least April 2022 and has done nothing about it. Note that the fundamental flaw in “msdt” which allows bypassing its authentication is a buffer overflow. In 2022—a buffer overflow.

Where do you want to go today?


Yikes. This seems like a catastrophically bad exploit. Thank you for the warning.

I do most of my work on Macs, which have a reputation for being more secure, but I’m not really sure if this is true or not. Planning to switch to LibreOffice on my Windows machines per @pturmel’s suggestion.


“70% of all security bugs are MEMORY safety bugs.”

“Apple’s T2 Security Chip Has an Unfixable [memory] Flaw allowing hackers to disable macOS security features like System Integrity Protection and Secure Boot and install malware”

Unlike other memory allocators, SLIMalloc (2020), while faster, BLOCKS memory errors and fatal system errors (to cover even more ground).