Recently, we wrote about the so-called Follina Windows vulnerability which was later given the CVE-2022-30190 identifier.
The vulnerability was unearthed by the nao_sec research team, following the discovery of a Word Document uploaded to VirusTotal from a Belarusian IP address. Shortly said, the flaw leverages Microsoft Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.
It is noteworthy that the issue was first described by Microsoft in April as a non-security vulnerability, after a security researcher with Shadow Chaser Group reported observing a public exploit. Despite admitting that the issue was actively exploited in the wild, Microsoft didn’t describe it as a zero-day.
Meet the DogWalk Zero-Day
A few weeks later, another, more severe vulnerability has been discovered, which is worse than the Follina zero-day. This vulnerability, dubbed DogWalk, was first reported to Microsoft in January 2020 by security researcher Imre Rad. Similarly to what happened with the original report of Follina, Microsoft decided that DogWalk wasn’t that bad because it required the victim to open a file.
Unfortunately, this initial assessment by the company is not precisely true. It turns out that it is possible to deliver a malicious implant to the logged-in user’s Startup folder. This time it will run every time the user logs in, meaning that the user doesn’t need to download a file. This is due to its type [a .CAB archive containing a diagnostics configuration file], and it won’t be checked by Windows SmartScreen upon being downloaded from Edge or Chrome.
Furthermore, this scenario is more than plausible because the Microsoft diagnostic tool (MSDT) is prone to a path-traversal attack. The attack can occur when a specially crafted Windows file path is deployed to read or write files typically unavailable to the caller. The final outcome is that the user who is lured into downloading the malformed CAD archive will in fact install persistent malware currently not detected by Windows Defender.
Is There Any Mitigation Against the DogWalk Zero-Day?
Unfortunately, at the moment, there doesn’t seem to be an official mitigation against this serious security loophole. Security researchers suggest the following options which Microsoft should implement as soon as possible:
- Make MSDT honor the so-called “mark of the web” flag that Windows uses to mark executables that were downloaded from the Internet. This flag is why Windows Explorer asks you “are you sure you want to open this file?” when you try to open an executable file you’ve downloaded from your browser.
- Add detection of this specific vulnerability to Defender and Defender for Endpoint.
We will be following the story of DogWalk and update this article as soon as new information becomes available. In the meantime, you can learn how to mitigate the Follina flaw.