Microsoft's Delay in Patching 'Dogwalk' Flaw Baffles Security Researchers
Microsoft took more than two years after disclosure to patch a vulnerability in the Windows Support Diagnostic Tool, dubbed "Dogwalk," which was described this week as being under active exploit.
Microsoft issued a patch for the vulnerability in its August "update Tuesday" patch release this week. The vulnerability, rated 7.8 on the Common Vulnerability Scoring System (out of 10), is described in Microsoft's CVE-2022-34713 bulletin.
The original Dogwalk vulnerability was first reported by security researcher Imre Rad in late-December 2019, according to his timeline description. Back then, it didn't meet Microsoft's definition of a vulnerability and Microsoft closed the case, per comments by Microsoft that were published by Rad. This month, Microsoft's security researchers changed their minds, maybe because the vulnerability was getting exploited.
The patch for CVE-2022-34713 is actually for a Dogwalk "variant," according to a description by security researchers at Tenable, citing Microsoft. Tenable credited security researcher "j00sean" as having "resurfaced Rad's 'related' flaw'" in the Windows Support Diagnostic Tool. That research by j00sean apparently concerned the "Follina" (CVE-2022-30190) vulnerability, yet another Windows Support Diagnostic Tool flaw, which got a patch back in June.
Microsoft's August security release also included another patch for the Windows Support Diagnostic Tool, as described in bulletin CVE-2022-35743. This particular vulnerability, though, wasn't deemed to be have been exploited. The discovery of the CVE-2022-35743 vulnerability was attributed to security researcher Matt Graeber at Red Canary.
For the Dogwalk exploit to work, some social engineering is needed. A victim needs to open a malicious file, which could be done by e-mail phishing attempts or by directing the victim to a compromised Web site. The file might be something like a Microsoft Word document attachment sent via e-mail, according to Dustin Childs of Trend Micro's Zero Day Initiative.
Possibly, such circumstances associated with executing a Dogwalk exploit caused Microsoft to dismiss it initially, but that's not a sufficient excuse for such a patch delay, according to Steve Weber, founder and former director of the Center for Long-term Security at UC Berkeley, via e-mail:
This bug (like most) can only be exploited under specific circumstances and reasonable people can disagree about how sophisticated an attacker would have to be in order to overcome those constraints. To be clear, that's not an excuse for 2 years of inaction. And particularly now that we know the bug was not simply theoretical but was exploited in the wild.
The "prevalence of Microsoft software" is such that Microsoft needs to "out-perform and do better than everyone else when it comes to fixing bugs," Weber added. Microsoft has a dominant market share across various sectors, including "85 percent of government workplace productivity systems," Weber said.
In recent years, critiques of Microsoft's security patch practices have come from the CEOs of major security firms, such as "Tenable, CrowdStrike and SentinelOne," Weber noted. "In my humble opinion, the largest and most profitable software companies in the world should be doing everything they can to make the lives of CISOs easier, not harder."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.