Microsoft has released its monthly “Patch Tuesday” for August while also confirming that one zero-day vulnerability, tracked as CVE-2022-34713, also known as DogWalk, is actively being exploited. The vulnerability affects all currently supported versions of Windows and Windows servers.
The bug exists in the Windows Support Diagnostic Tool (MSDT), and exploitation can lead to a full system compromise as it’s a high-risk remote code execution vulnerability.
This isn’t the first time MSDT or DogWalk has been exploited either. It was first disclosed in January 2020 by security researcher Imre Rad, but Microsoft didn’t consider it a security issue at the time. It was once again brought to attention by Twitter user J00sean, who tweeted a complete exploit walkthrough.
Outside of DogWalk, the August security update from Microsoft covers 120 other vulnerabilities, 17 of which are rated critical, 102 important, one moderate and one low. DogWalk is already being exploited out of the two bugs marked as publicly known. This is the second largest Patch Tuesday release this year and almost thrice the size of last year’s August update.
Microsoft notes that exploitation requires the user to open a maliciously crafted file meaning that there’s a social engineering or phishing campaign that the attacker needs to run to get the target to open a malicious document or visit a compromised site. The vulnerability can be exploited in the following two ways:
- Via Email: An attacker can trick the user into opening a maliciously crafted site sent via email.
- Web-based attack: An attacker can host a website or use a compromised website that accepts or hosts user-provided content to host and deliver the malicious file.
The vulnerability has been added to CISA’s Known Exploited Vulnerabilities list, and federal agencies have been ordered to patch it before the month ends. We recommend Windows users do the same.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.