Resource August 11, 2022

Zero-Day Vulnerability Discovered: Microsoft August Patch Tuesday

This month’s Patch Tuesday from Microsoft had a surprise patch for a vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT); you may remember this exploit from the recent Follina exploit (CVE-2022-30190). This vulnerability, however, takes a different exploit path than Follina.

What You Need to Know

CVE-2022-34713, nicknamed “DogWalk,” is an arbitrary file write vulnerability in MSDT, exploited via .diagcab files, which can lead to code execution. The vulnerability allows an attacker to send a file to a victim that, if double-clicked and opened, could drop an exploit in the user’s Startup folder (or any file anywhere else on the system that the user has permissions to write to). The exploit could be compounded by the fact that most web browsers and email clients do not warn the user of the risk of running a .diagcab file. The .diagcab is not identified with the web zone identifier property, which would otherwise help prevent accidental execution by a user.

The original Dogwalk vulnerability was found and reported to Microsoft by security researcher Imre Rad in December 2019. According to Rad, Microsoft initially decided Dogwalk was not a vulnerability and, at that point, allowed him to publish a blog post on the subject. Due to increased scrutiny of MSDT, Microsoft re-assessed the case this year and has now classified Dogwalk as a vulnerability.

Microsoft began blocking .diagcab file downloads in Microsoft Edge in July of this year. Google is also doing the same. It is now worthwhile to stop .diagcab files received via email altogether. 

The Importance of Continuous Vulnerability Monitoring

Microsoft’s August Patch Tuesday includes a patch for the now publicly disclosed, two-year-old Dogwalk vulnerability (CVE-2022-34713). Adlumin’s Continuous Vulnerability Management (CVM) team took the proactive critical steps to examine this patch for now identified zero-day security threat and to alert customers of their potential vulnerability risk. Adlumin determined potential threats to Microsoft Office users, so they deployed the fix. 

Adlumin’s CVM team created jobs to test customers’ Microsoft August Patch Tuesday patch and remediation (registry modification). Once Adlumin completed the test, the CVM team continued the deployment to the production environment. Once all was complete and remedied, Adlumin sent a report to the customer to notify them they were now clean of the vulnerability for their records. Adlumin recommends using its Continuous Vulnerability Management service to collect the needed data from endpoints to determine if they are running vulnerable .diagcab files in their versions of Microsoft Windows and Office. Adlumin’s managed detection and response security and services platform will proactively search for suspicious activity and possible vulnerability exploitation 24x7x365 days of the year.