Microsoft Urges Windows Users To Run Patch For DogWalk Zero-Day Exploit (computerworld.com) 15
joshuark shares a report from Computerworld: Despite previously claiming the DogWalk vulnerability did not constitute a security issue, Microsoft has now released a patch to stop attackers from actively exploiting the vulnerability. [...] The vulnerability, known as CVE-2022-34713 or DogWalk, allows attackers to exploit a weakness in the Windows Microsoft Support Diagnostic Tool (MSDT). By using social engineering or phishing, attackers can trick users into visiting a fake website or opening a malicious document or file and ultimately gain remote code execution on compromised systems. DogWalk affects all Windows versions under support, including the latest client and server releases, Windows 11 and Windows Server 2022.
The vulnerability was first reported in January 2020 but at the time, Microsoft said it didn't consider the exploit to be a security issue. This is the second time in recent months that Microsoft has been forced to change its position on a known exploit, having initially rejected reports that another Windows MSDT zero-day, known as Follina, posed a security threat. A patch for that exploit was released in June's Patch Tuesday update.
The vulnerability was first reported in January 2020 but at the time, Microsoft said it didn't consider the exploit to be a security issue. This is the second time in recent months that Microsoft has been forced to change its position on a known exploit, having initially rejected reports that another Windows MSDT zero-day, known as Follina, posed a security threat. A patch for that exploit was released in June's Patch Tuesday update.
Where is the news? (Score:5, Funny)
Not news: Microsoft Windows contains zero-day vulnerability
Also not news: Microsoft's "fix" doesn't fix it.
Still would not be news: The follow-up fix is not complete, either.
Re: (Score:2)
Most of all, it ain't news because it's like 2 months old.
I found the root kit (Score:2, Funny)
Re: (Score:3)
A bit less drastic is to just disable the Windows Microsoft Support Diagnostic Tool service. It doesn't do anything useful.
Re: (Score:2)
Unpatchable (Score:3, Insightful)
By using social engineering or phishing, attackers can trick users into visiting a fake website or opening a malicious document or file and ultimately gain remote code execution on compromised systems.
By using social engineering, you could potentially get someone to go to Western Union and have them send you the contents of their bank account. There is no patch for human stupidity.
Re: (Score:2)
Well, there is... but it limits the availability of the human considerably.
Not that I'd consider this a bad things with many of them.
Re: (Score:1)
use the workaround (Score:3)
Part of the original advice was to remove the registry entries that Windows uses to know how to open MSDT files.
See Workarounds: https://msrc-blog.microsoft.co... [microsoft.com]
The workaround does not solve the problem but you won't be able to just click to open, you'll have to open a program then open file in it. Helps with ignorant users clicking on things.
Re: (Score:2)
Looks like the patch does this (whatever else it might do) because I tried to delete the key after applying it and it wasn't there.
"Zero-Day" (Score:4, Insightful)
Zero-day [wikipedia.org]? Microsoft knew about it in January 2020, about 2 years and 7 months ago, so that would make it a roughly 940-day exploit.
Or maybe they're using this revisionist, corporate-friendly definition [trendmicro.com] of "a vulnerability...that has been disclosed but is not yet patched."
Crap-OS remains Crap-OS... (Score:2)
What else is new? MS should never have been trusted with anything.
It was pretty (Score:1)