DogWalk comes soon after another MSDT zero-day vulnerability dubbed Follina was discovered, and Microsoft claimed it was a non-security issue.
Last week a critical 0day security vulnerability called Follina was identified in Microsoft Office. The issue was a critical one and required urgent security patches. To make sure the vulnerability is fixed on an urgent basis (although it was already being exploited by Chinese hackers) 0Patch, a Maribor, Slovenia-based IT security firm issued free but unofficial micropatches addressing the Follina vulnerability.
Now, 0Patch is at it again. It all started with security researcher Imre Rad first disclosing a vulnerability in January 2020 which is now called DogWalk. But Microsoft ignored the flaw because the tech giant didn’t consider it a security issue. Recently, the same vulnerability was re-discovered by security researcher j00sean.
Although the vulnerability hasn’t been assigned a CVE or tracking ID yet, it is confirmed that this vulnerability drops a payload in the Startup folder of Windows at this location:
C:\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
About DogWalk
The flaw is dubbed DogWalk, and according to j00sean, it is a path traversal flaw that attackers can exploit to copy an executable to the Windows startup folder after the victim opens a malicious .diagcab file, a Cabinet (CAB) file format containing a diagnostics configuration file.
This file is either downloaded from the internet or received through email. The malicious executable gets automatically executed the next time the Windows is restarted.
It is worth noting that this malicious file features a Mark of the Web/MOTW. However, the Microsoft Support Diagnostic Tool (MSDT) ignores this warning and runs the file, exposing the victim to exploitation.
This has to be a joke. That path traversal 0day is a “wonfix” again. 🤦♂️
— j00sean (@j00sean) June 7, 2022
I think someone at @msftsecresponse didn’t get this is not a chromium-based bug. It’s a MSDT one, buddies! Someone at Redmond should review my Twitter timeline :-) Isn’t a MSRC guy there reading this? 🫤 pic.twitter.com/jC02nzgnuV
For your information, the MOTW tag is used to establish the origin of the file and determine the feasible security response. According to 0patch’s Mitja Kolsek, the MSDT application cannot check this flag, which is why the file is opened.
Microsoft claims that Outlook users aren’t at risk since the .diagcab files are blocked automatically by the platform. But, security researchers claim that the bug is still a potential attack vector.
“Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting(!) a website, and it only takes a single click (or misclick) in the browser’s downloads list to have it opened,”
Mitja Kolsek – 0patch
0patch’s Free But Unofficial Micropatches
The flaw impacts all Windows versions from Win 11 and Server 2022 to Win 7 and Server 2008. Microsoft is yet to release an official patch for this zero-day flaw. Therefore, the micropatching service 0patch has developed an unofficial, free patch for the Windows versions most impacted by this bug, which includes:
- Windows 7
- Windows 11 21H2
- Windows 10 21H2
- Windows 10 21H1
- Windows 10 2004
- Windows 10 1909
- Windows 10 1903
- Windows 10 1809
- Windows 10 1803
- Windows 10 20H2
- Windows Server 2012
- Windows Server 2019
- Windows Server 2016
- Windows Server 2022
- Windows Server 2012 R2
- Windows Server 2008 R2
Source: 0patch
Visit the official 0patch blog post for technical details and download the micropatch. Before installing the patches, you will need to register a 0patch account and install and launch the 0patch agent, after which the micropatch will automatically apply without requiring a system restart.
More Microsoft Vulnerabilities
- New Bug Lets Attacker Takeover PC via Outlook Email
- Microsoft Outlook bug exposes Windows credentials to hackers
- Beware of Fake Windows 11 Downloads Distributing Vidar Malware
- Pwn2Own 2022 – Windows 11, MS Teams, and Firefox Pwned on Day 1
- USB-based Wormable Raspberry Robin Malware Targeting Windows Installer