Microsoft has released security updates to address a high-severity Windows zero-day vulnerability with publicly available exploit code and abuse in attacks.
Fixed as part of the August 2022 Patch Tuesday, this security flaw is now tracked to CVE-2022-34713 and jokingly named Dogwalk.
This is due to a path traversal weakness in the Windows Support Diagnostic Tool (MSDT) that attackers can exploit to achieve remote code execution on compromised systems.
When the target opens a maliciously crafted .diagcab file (received via email or downloaded from the web), they can do so by adding the maliciously crafted executable to Windows startup.
Next time victims restart their Windows device the executables implicated to perform various tasks such as downloading additional malware payloads will be executed automatically.
Dogwalk was publicly disclosed by security researcher Imre Redd more than two years ago, in January 2020, with Microsoft responding to its report saying it would not provide a fix because it is not a security issue.
However, the Microsoft Support Diagnostics Tool bug was recently rediscovered and brought back to the public’s attention by security researcher j00sean.
While unauthorized attackers can exploit the vulnerability in low-complexity attacks, successful exploits require user interaction (tricking the target into opening malicious email attachments or downloading and running a malicious file over a link). clicking).
“In the scenario of an email attack, an attacker could exploit the vulnerability by sending a specially crafted file to the user and convincing the user to open the file,” Microsoft explains in today’s advisory.
“In a web-based attack scenario, an attacker may host a website (or take advantage of a compromised website that accepts or hosts user-supplied content) in which a vulnerability is designed to exploit A specially designed file.
According to Microsoft, Dogwalk affects all Windows versions under support, including the latest client and server releases, Windows 11 and Windows Server 2022.
Last month, an official security advisory was issued to Microsoft about another Windows MSDT zero-day (known as Folina) after rejecting an initial report and tagging it as not a “security-related issue”. was forced to publish.
Today, the company also released security updates to address a publicly disclosed zero-day tracked as ‘CVE-2022-30134 – Microsoft Exchange Information Disclosure Vulnerability’, which allows attackers to read targeted email messages. Can you
In total, Microsoft patched 112 vulnerabilities as part of the August 2022 Patch Tuesday, including 17 critical ones that allow remote code execution and privilege escalation.