In this month's Patch Tuesday update for Windows 7, 8.1, 10, and 11, Microsoft released a bunch of improvements and security fixes for its operating systems. Talking about the latter, we have good news and bad news.
Starting off with the good news, Microsoft has patched lots of security issues including Follina. The bad news is that its updates apparently don't cover all reported 0-days, as DogWalk remains unpatched.
Details about Follina emerged last month when it was revealed that the wonky handling of URL protocols in Microsoft Support Diagnostic Tool (MSDT) meant that an application like Microsoft Word could invoke it to trigger remote code execution (RCE), potentially with admin privileges.
This issue affected virtually all versions of Windows, so Microsoft awarded it a "high" severity and recommended some mitigations. However, June's Patch Tuesday updates released yesterday offer a more permanent fix for this problem. In its corresponding CVE-2022-30190 tracking report, Microsoft has noted that:
The update for this vulnerability is in the June 2022 cumulative Windows Updates. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
Meanwhile, DogWalk is another 0-day vulnerability that was widely reported last week. It basically utilizes a path traversal vulnerability which lands a payload in the Windows Startup folder location. This means the malware is executed when the user logs into their system next time. The downloaded diagcab file has a Mark of the Web (MOTW) but MSDT ignores the warning and runs it anyway making users vulnerable to this potential exploit.
Although some third-party security firms have released micropatches for DogWalk, Microsoft has downplayed the issue and says that it does not require "immediate service". It hasn't been assigned a CVE either.
And if you're wondering if the latest Patch Tuesday update would fix the issue, you'd be mistaken. According to security researchers on Twitter, DogWalk is still open for exploitation:
#DogWalk 🐕🚶with remote shared location is still working, no prompting of MoTW yet. It sounds no changes.https://t.co/gUUz95HxVK pic.twitter.com/rjpd8OzZJ0
— j00sean (@j00sean) June 14, 2022
It remains to be seen if Microsoft will eventually fix the issue in the near future, but based on the recent updates on this matter, chances don't look good. We'll let you know if the situation evolves in the future.