Microsoft finally patches nasty Windows security hole, two years later

By Scott Marlette Last updated Aug 11, 2022

DogWalk, a security flaw in Windows first discovered in January 2020, has finally been addressed, the company has confirmed.

The remote code execution flaw, existing due to a path traversal weakness in the Windows Support Diagnostic Tool (MSDT), is being patched (opens in new tab) as part of the August 2022 Patch Tuesday, Microsoft has said.

The flaw is tracked as CVE-2022-34713, and if abused, can give attackers the ability to run any code on a target endpoint. It was first discovered by a researcher called Imre Rad more than two years ago, but back then, Microsoft said it wasn’t really a security vulnerability, and as such, it won’t be fixed. Fast forward to today, and the flaw has been put back into the spotlight by a different researcher, going by the name j00sean.

Abusing DogWalk on Windows 11

To exploit DogWalk, the attacker needs to add a malicious executable to the Windows Startup. That way, once the system is restarted, malware gets downloaded and run. It can be used in low-complexity attacks, but with a caveat – the victim needs to interact with the system (they need to download the malware or run it themselves).

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft said. “In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.”

DogWalk can be abused on all supported versions of Windows, Microsoft confirmed, including the latest variants – Windows 11, and Windows Server 2022.

This month’s Patch Tuesday also addresses CVE-2022-30134, a zero-day vulnerability affecting Microsoft Exchange Information Disclosure, which allows threat actors to read targeted email messages. In total, 112 flaws were addressed, including 17 deemed critical.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.