All Windows users advised to update as Microsoft confirms zero-day attack
SOPA Images/LightRocket via Getty Images
With the arrival of the monthly ‘Patch Tuesday’ security updates for Windows users, Microsoft confirms that one zero-day security vulnerability is already under attack.
All Windows and Windows Server users are being advised to update as soon as possible after Microsoft confirms that CVE-2022-34713, also known as DogWalk, is being actively exploited by attackers.
What is the DogWalk vulnerability?
The high-impact, remote code execution, vulnerability, exists in the Windows Support Diagnostic Tool (MSDT) and can lead to system compromise. It’s not the first time that MSDT has been targeted by cybercriminals nor, indeed, the first time we’ve encountered DogWalk. As I first reported on June 8, “It’s only a matter of time, I would imagine, before DogWalk exploits are being reported in the wild.” That time has arrived.
Quite astonishingly, the vulnerability was first disclosed in January 2020. At the time, it is reported, Microsoft didn’t consider it a security issue.
The vulnerability can be exploited by an attacker using social engineering or phishing tactics to trick a user into opening a malicious document or file or visiting a compromised website to the same end.
CISA issues mandatory update warning to U.S. federal agencies
Worryingly, the vulnerability impacts all users of all currently supported versions of Windows and Windows Server. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added DogWalk to the Known Exploited Vulnerabilities list and ordered federal agencies to patch it before the end of the month.
I would advise all users to do the same, only more quickly, by applying that Patch Tuesday update as soon as is possible.
While DogWalk is the only zero-day being patched, the update covers a total of 121 vulnerabilities, including 17 that are given a critical rating.
Dustin Childs, from Trend Micro’s Zero Day Initiative, says “the volume of fixes released this month is markedly higher than what is normally expected in an August release. It’s almost triple the size of last year’s August release, and it’s the second largest release this year.”
You can see the full list of Windows security updates for August in the update guide published by the Microsoft Security Response Center.