Microsoft posted a Patch Tuesday online last week, the download and installation of which are highly recommended and for good reason: this patch fixes a “zero day” flaw exploited by hackers. However, Microsoft could have taken care of it long before…
Among the 121 fixes provided by Microsoft in its latest Patch Tuesday, one in particular stands out. The delivery indeed plugs the CVE-2022-34713 vulnerability, known as “DogWalk” for two and a half years! In December 2019, researcher Imre Rad warned the publisher of the presence of this breach, but at the time the latter did not want to react.
Not a serious flaw, according to Microsoft
Microsoft has indeed explained that the exploitation of the flaw required a specific action from the user: it is indeed necessary to force him to download and execute the file. “As described, this cannot be considered a vulnerability. No security boundaries are bypassed, the proof of concept does not increase permissions in any way, or do anything the user cannot already do,” the company responded in early 2020.
What happened in the meantime for Microsoft to reconsider its decision? It’s hard to say, but it’s possible that attempts to exploit this vulnerability ultimately caused the publisher to reconsider its position. And to get to work developing a fix…
“DogWalk” allows remote execution of arbitrary code via an attack in the Windows Support Diagnostic Tool (MSDT) module. The operation, however, requires the victim to download a file and then open it. This famous MSDT module is a favorite target for hackers, since it is the second time in three months that a “zero day” breach has been discovered there.
The delay taken by Microsoft to plug the flaw, and the inertia with which the company dealt with the problem should push it to be more cautious in the future.
Bitdefender Plus Antivirus