Microsoft urges Windows customers to run patch for DogWalk zero-day exploit
Despite beforehand claiming the DogWalk vulnerability didn’t represent a safety subject, Microsoft has now launched a patch to cease attackers from actively exploiting the vulnerability.
Magdalena Petrova
Microsoft has confirmed {that a} high-severity, zero-day safety vulnerability is actively being exploited by risk actors and is advising all Windows and Windows Server customers to use its newest month-to-month Patch Tuesday replace as quickly as attainable.
The vulnerability, generally known as CVE-2022-34713 or DogWalk, permits attackers to take advantage of a weak point within the Windows Microsoft Support Diagnostic Tool (MSDT). By utilizing social engineering or phishing, attackers can trick customers into visiting a faux web site or opening a malicious doc or file and in the end achieve distant code execution on compromised techniques.
DogWalk impacts all Windows variations beneath assist, together with the most recent consumer and server releases, Windows 11 and Windows Server 2022.
The vulnerability was first reported in January 2020 however on the time, Microsoft mentioned it didn’t take into account the exploit to be a safety subject. This is the second time in current months that Microsoft has been compelled to vary its place on a recognized exploit, having initially rejected experiences that one other Windows MSDT zero-day, generally known as Follina, posed a safety risk. A patch for that exploit was launched in June’s Patch Tuesday replace.
Charl van der Walt, head of safety analysis at Orange Cyberdefense, mentioned that though Microsoft might maybe be criticised for failing to contemplate how incessantly and simply recordsdata with apparently harmless extensions are used to ship malicious payloads, additionally famous that with a number of thousand vulnerabilities reported annually, it’s to be anticipated that Microsoft’s risk-based triage method to assessing vulnerabilities gained’t be infallible.
“If everything is urgent, then nothing is urgent,” he mentioned. “The security community has long stopped believing vulnerabilities and threats will be eradicated any time soon, so the challenge now becomes the development of a kind of agility that can perceive changes in the threat landscape and adapt accordingly.”