Microsoft is an organization that provides services across the globe, with over 1.4 billion existing users. With many such users and a huge array of services being provided, there is a high chance of security issues. The zero-day vulnerability that cyber attackers nicknamed “DogWalk” has become an enormous concern for Microsoft as there is no official patch available for it yet, and the extent of compromise using the vulnerability is unclear.
Microsoft Zero-Day Vulnerability
Kaspersky defines zero-day vulnerabilities as software flaws discovered by attackers before the vendor resolves them. Such vulnerabilities can often become grave issues for the vendors since they stay hidden and might take time to find out. At the same time, malicious actors could exploit them and make organizations suffer financial losses. Hence, it is essential to address them as soon as possible.
In May 2022, Microsoft released patches for over 70 vulnerabilities, where the organization addressed three zero-day vulnerabilities. In December 2021, it released a patch for six zero-day vulnerabilities. Microsoft’s readiness to act emphasizes how severe these vulnerabilities can be. Unfortunately, with DogWalk and Follina, Microsoft’s action was not immediate.
What is DogWalk?
Imre Rad had reported DogWalk to Microsoft in January 2020. Microsoft had decided that leaving this vulnerability alone would be the best action. This thought was based on the assumption that DogWalk posed no real threat since it would only cause damage if the user downloaded the files flagged as malicious. Microsoft stated that several file types could execute codes similarly but were blocked by default in Outlook on the web and other places.
Rad, however, later stated that these files would not be flagged as malicious when downloaded through Chrome or Microsoft Edge. The main factor is the path-traversal attack vulnerability of the Microsoft diagnostic tool (MSDT). Consequently, a user could be tricked into downloading and opening malware that would go undetected by Microsoft Defender. Hence, a malicious file could be implanted in the user’s Startup folder so that the program runs itself whenever the user logs in.
Thus, DogWalk is not a result of single vulnerability exploitation. It results from path-traversal vulnerability and the threat that downloading and opening malware would pose. It impacted Windows 7 and above versions, Server 2008, and even the latest releases.
Follina: A Related Vulnerability
Follina was discovered by Nao_sec, a cybersecurity research group based in Tokyo, and named by Kevin Beaumont, a security researcher. Follina exploits the vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) to enable remote code execution. When MSDT uses a URL protocol from Microsoft Word, the threat actors can execute arbitrary code. While the word file might seem harmless to the user, it can allow the attackers to run PowerShell commands through the MSDT. After the command has been successfully executed, attackers can launch a series of activities on the user’s local device, including but not limited to installing applications and modifying and deleting data.
A China-linked threat actor TA413 CN APT (Advanced Persistent Threat) has been using Follina to target Microsoft users. Its attack is disguised as a women empowerment campaign where the Microsoft Word document is delivered under the guise of the Tibet government.
While Follina was a zero-day vulnerability, Microsoft warned of its threat and tracked it as CVE-2022-30190. It impacts all Windows 7 and higher systems and servers 2008 and above. Even after recognizing it, a security patch has not been developed. Despite Microsoft’s development efforts, adversaries are exploiting the vulnerability in the wild without being noticed.
Mitigation of Microsoft Zero-Day Vulnerabilities
Researchers and even Microsoft have introduced mitigation methods to deter Follina and DogWalk, although Microsoft has not yet released an official patch.
Because of the Follina vulnerability, it is easy for malicious actors to use the Microsoft troubleshooter function through URLs to launch their attacks. Beaumont, the security researcher that named Follina, suggested creating a Group Policy that disables the overall troubleshooter access. You can disable your user access to Troubleshooting under the Scripted Diagnostics Category. Following this, you can distribute the policy as appropriate, protecting yourself from any malicious URL launch.
One may claim the above method to be the best until an official patch is released. However, Microsoft seems to disagree. It has suggested disabling the MSDT URL protocol. Deleting the HKEY_CLASSES_ROOT\ms-msdt registry subtree will prevent troubleshooters from getting launched via URLs.
DogWalk, on the other hand, is still considered a zero-day vulnerability that Microsoft has not officially addressed, unlike Follina. It means that currently, there is no method to mitigate it either. Mitigation of DogWalk will require Microsoft to remove path-traversal vulnerability in the MSDT subsystem. For now, however, you can use the “mark of the web” (MOTW) flag that warns you when downloading executable files from the internet. The MOTW flag is the warning that reads, “Are you sure you want to open this file?” when an executable file you downloaded is opened. This flag can act as your warning sign of potential malware.
You can also use third-party patches that can enable warnings and apply patches on executable files that you have downloaded.
Availability of Unofficial Patches for Affected Systems
‘0patch agent’ is a patch service that offers unofficial patches for your system to protect you from Follina and DogWalk. To download these patches, you must create a 0patch account and download the 0patch agent on your local device. The unofficial patches are made available for the following systems.
- Windows 11 v21H2
- Windows 10 (v1803 to v21H2)
- Windows 7
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Protect Yourself From Zero-Day Vulnerabilities
Attacks based on zero-day vulnerabilities target operating systems, web browsers, and open-source components. Exploits associated with such vulnerable systems can victimize and access critical data of individuals, large corporations, and government agencies. It has also been observed that zero-day exploits are used against political targets and can even pose a threat at a national security level.
Zero-day vulnerability attacks can be divided into targeted and non-targeted types. While victims of targeted zero-day attacks are valuable figures who are privy to crucial data, victims of non-targeted zero-day attacks can be absolutely anyone with a weak system and negligible cyber security protocols. Thus, even if you are not an important figure with access to highly confidential and special information, you can still suffer financial loss due to some non-targeted zero-day attacks. Hence, it becomes vital to learn to protect yourself from such attacks.
You must regularly check updated databases with information regarding the latest threats and the kind of trends they follow. If you are unable to do that, you can still protect yourself by keeping all your systems updated. Microsoft launches patches for vulnerabilities regularly, and it would be beneficial for the system to have all the bug patches. Using a strong firewall and antivirus software solution can solve half the problem.
While zero-day vulnerabilities can keep appearing even when developers and researchers try their best to discover them, you can learn to protect yourself at your end. Follina and DogWalk can be threatening, but learning to protect yourself and using the unofficial mitigation methods until Mircorosft launches a new official patch may work as a temporary solution.