Mumbai: If there ever was a time to urgently download the latest updates for your computer, that time is right now. Microsoft has released patches for a whopping 121 vulnerabilities in its systems, with 17 of them being rated critical by Microsoft itself. This includes a Zero Day vulnerability that has been unpatched since December 2019 and is confirmed to have been exploited.
Zero Day vulnerabilities are those that come to light only when they are exploited by threat actors, and are so named because there are zero number of days between their discovery and exploitation. The vulnerability in question, commonly known as DogWalk, is the second critical vulnerability to be patched by Microsoft this year, after Follina.
The nomenclature of the vulnerability is something of a joke between ethical hackers who have been tracking it ever since researcher Imre Rad discovered its first variant in December 2019. Back then, someone reached out to researcher Kevin Beaumont, asking him to name it and Beaumont was walking his dog at the time. Beaumont, coincidentally, is the same researcher who discovered and reported Follina.
This, however, is the only funny side to the story. DogWalk is a flaw that existed in the Microsoft Support Diagnostic Tool and allows a threat actor to send an MS Word file loaded with malware to the target. Once the target opens the file, the attacker gets unhindered access to their devices and can execute any program they want to.
“Exploitation of the vulnerability requires a user opens a specially crafted file. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft stated in its update.
Ironically, when it was first reported to Microsoft, the tech giant wrote back to Rad saying that they did not regard it to be a security issue. This was the same approach that the company had initially taken towards Follina as well.
According to Microsoft’s own update, released on Tuesday, DogWalk has been actively exploited by threat actors. The Indian Computer Emergency Response Team (CERT-In), too, issued an advisory about DogWalk on Wednesday.
The slew of patches was released by Microsoft as part of its Patch Tuesday tradition, in which it releases patches for known vulnerabilities on the second Tuesday of every month.
Rad, Beaumont and a few other researchers tracking DogWalk have since then been continuously publishing warnings and updates, and expressing disappointment every time DogWalk failed to find a mention in Microsoft’s Patch Tuesday releases month after month for over two years.
Microsoft users are advised to immediately download all latest security updates, as the patches cover a wide range of software components in the Microsoft operating system, allowing attackers to access various sections of the device depending on the vulnerability, including email and log in credentials.
