Microsoft’s Delay in Fixing ‘Dogwalk’ Flaw Baffles Security Researchers



Microsoft’s Delay in Fixing ‘Dogwalk’ Flaw Baffles Security Researchers

Microsoft took more than two years after the disclosure to fix a vulnerability in the Windows Support Diagnostic Tool, dubbed “Dogwalk,” which was described this week as being under active exploitation.

Microsoft released a fix for the vulnerability this week in its August “Tuesday Update” patch release. The vulnerability, rated 7.8 on the Common Vulnerability Scoring System (out of 10), is described in Microsoft bulletin CVE-2022-34713.

The original Dogwalk vulnerability was first reported by security researcher Imre Rad in late December 2019, according to his timeline description. At the time, this did not meet Microsoft’s definition of a vulnerability and Microsoft closed the case, according to Microsoft comments posted by Rad. This month, Microsoft security researchers changed their minds, possibly because the vulnerability was being exploited.

The patch for CVE-2022-34713 is actually for a “variant” of Dogwalk, according to a description from Tenable security researchers, citing Microsoft. Tenable credited security researcher “j00sean” as having “resurfaced Rad’s “linked” riftin the Windows Support Diagnostics Tool. This search by j00sean apparently concerned the “Follina” vulnerability (CVE-2022-30190), another flaw in the Windows Support Diagnostics Tool, which received a patch in June .

Microsoft’s August security release also included another fix for the Windows Support Diagnostic Tool, as described in CVE-2022-35743. This particular vulnerability, however, was not considered to have been exploited. The discovery of the CVE-2022-35743 vulnerability has been attributed to security researcher Matt Graeber of Red Canary.

For the Dogwalk exploit to work, some social engineering is required. A victim must open a malicious file, which can be done through email phishing attempts or by directing the victim to a compromised website. The file could be something like a Microsoft Word document attachment sent via email, according to Dustin Childs of Trend Micro’s Zero Day Initiative.

Perhaps such circumstances associated with running a Dogwalk exploit caused Microsoft to initially reject it, but that’s not a good enough excuse for such a patch delay, according to Steve Weber, Founder and Alumnus director of the Center for Long-term Security at UC Berkeley, by email:

This bug (like most) can only be exploited under specific circumstances, and reasonable people may disagree about how sophisticated an attacker should be to overcome these constraints. To be clear, this is no excuse for 2 years of inaction. And especially now that we know the bug wasn’t just theoretical but was being exploited in the wild.

The “dominance of Microsoft software” is such that Microsoft must “outperform and do better than everyone else when it comes to fixing bugs,” Weber added. Microsoft has a dominant market share in various industries, including “85% of government workplace productivity systems,” Weber said.

In recent years, criticism of Microsoft’s security patching practices has come from CEOs of major security companies, such as Tenable, CrowdStrike and SentinelOne, Weber noted. “In my humble opinion, the largest and most profitable software companies in the world should do everything possible to make life easier for CISOs, not complicate it.”

About the Author

Kurt Mackie is senior news producer for 1105 Media’s Converge360 group.


About Author

Comments are closed.