Share this article on:
Another zero-day vulnerability has been identified that affects the same Windows tool as Follina. While the vulnerability is not known to have been exploited in the wild, the bug is exploitable and the recent interest and widespread exploitation of the Follina vulnerability make exploitation of this flaw more likely.
The vulnerability affects the Microsoft Diagnostic Tool (MSDT) and is a path traversal flaw that can be exploited to copy an executable file to the Windows Startup folder. The vulnerability can be exploited by sending a specially crafted .diagcab file via email or convincing a user to download the file from the Internet. .diagcab files are Cabinet files that include a diagnostic configuration file. In this attack, once the startup entry is implanted, the executable file will be run the next time Windows is restarted.
The vulnerability was identified and publicly disclosed by security researcher Imre Red in January 2020. Microsoft decided not to issue a fix as this was technically not a security issue, and since .diagcab files are considered unsafe they are automatically blocked in Outlook, on the web, and in other places. While Microsoft’s reasoning is understandable, there are other file types that are not technically executables and could potentially be abused, it is possible that threat actors could try to exploit the vulnerability, especially in attacks over the Internet.
“Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting a website, and it only takes a single click (or mis-click) in the browser’s downloads list to have it opened,” explained 0Patch. “No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing attacker’s code. From the attacker’s perspective, therefore, this is a nicely exploitable vulnerability with all Windows versions affected back to Windows 7 and Server 2008.”
Following the discovery of the Follina vulnerability, security researcher j00sean rediscovered the flaw and announced it last week. The vulnerability has been dubbed DogWalk and is considered to be sufficiently exploitable for 0Patch to develop micropatches to address the flaw.
The micropatches for the DogWalk vulnerability are being provided free of charge until Microsoft develops a patch to permanently fix the issue. The micropatches have been released for Windows 7, 10, and 11, and Windows Server 2008 R2, 2012/2012 R2, 2016, 2019, and 2022.