Okea - stock.adobe.com
Microsoft fixes two-year-old MSDT vulnerability in August update
August’s Patch Tuesday drop fixes more than 120 CVEs, including another MSDT RCE zero-day that is being actively exploited.
Two-and-a-half years after a security researcher publicly disclosed the existence of a remote code execution (RCE) zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), dubbed DogWalk, Microsoft has finally issued a fix for the problem after a new variant emerged, having previously not done so on the basis that it did not meet the right criteria.
Tracked as CVE-2022-34713, successful exploitation requires the victim to be convinced to open a specially crafted file, which can be delivered either via email or an attacker-controlled or compromised website. As such, it is rated merely important as opposed to critical.
This is the second major MSDT vulnerability to have been fixed by Microsoft in the past few months, following the disclosure of the dangerous Follina zero-day at the end of May, which was patched in June.
“With reports that CVE-2022-34713 has been exploited in the wild, it would appear that attackers are looking to take advantage of flaws within MSDT as these types of flaws are extremely valuable to launch spear phishing attacks,” said Tenable senior staff research engineer Satnam Narang.
“A variety of threat actors leverage spear phishing, from advanced persistent threat (APT) groups to ransomware affiliates,” he said. “For attackers, bugs that can be executed via malicious documents remain a valuable tool, so flaws like Follina and CVE-2022-34713 will continue to be used for months. Therefore, it is vital that organisations apply the available patches as soon as possible.”
Qualys director of vulnerability and threat research Bharat Jogi added: “The DogWalk zero-day vulnerability is not new to the industry. It was initially reported back in 2019, but not deemed a vulnerability as it was believed to require significant user interaction to exploit, and there were various other mitigations in place.
“However, as we see today’s bad actors growing more sophisticated and creative in their exploits, a recent zeroday that leveraged the ms:msdt protocol URI scheme (Follina) forced MSFT to reconsider DogWalk as a vulnerability,” he said. “Follina has been recently used by threat actors – for example, Chinese APT TA413 – in phishing campaigns that have targeted local US and European government personnel, as well as a major Australian telecommunications provider. Successful exploitation of this vulnerability allows an attacker to deploy malware and gain foothold on a system.”
Read more about Patch Tuesday
- While some admins can put their feet up and let Windows Autopatch do the hard work of updating their Microsoft estates, for the rest of us, the Patch Tuesday bandwagon keeps on keeping on.
- The last Patch Tuesday in its current form is overshadowed by persistent concerns about how Microsoft deals with vulnerability disclosure.
- It’s the second-to-last Patch Tuesday as we know it, and Microsoft has fixed a total of 75 bugs, including three zero-days.
The August update fixes a larger-than-average total of 121 vulnerabilities, 17 of them classed as critical – likely in part due to disclosures and proof-of-concept exploits to be shown off at Black Hat USA and the upcoming DEF CON hacker event.
Of the critical vulnerabilities, two of the most severe appear to be CVE-2022-30133 and CVE-2022-35744, both of which are RCE vulnerabilities affecting Windows Point-to-Point Protocol, and both of which carry CVSS scores of 9.8, although neither has been made public or exploited. A full breakdown of this month’s critical vulnerabilities is available from the Zero Day Initiative.
Also particularly noteworthy is a publicly disclosed but not-yet-exploited information disclosure vulnerability affecting Exchange Server, tracked as CVE-2022-30134. Greg Wiseman, lead product manager at Rapid7, explained its significance:
“In this case, simply patching is not sufficient to protect against attackers being able to read targeted email messages,” he said. “Administrators should enable Extended Protection in order to fully remediate this vulnerability, as well as the five other vulnerabilities affecting Exchange this month. Details about how to accomplish this are available via the Exchange Blog.”