Application Security , Governance & Risk Management , Incident & Breach Response
No Patch Yet For Follina And DogWalk Windows 0-DaysWorkaround Guidance, Temporary Fix Now Available for the Vulnerabilities
Microsoft has not yet released patches for two zero-days that exploit vulnerabilities in the Microsoft Windows Support Diagnostic Tool. Follina was discovered on May 28 by a cybersecurity team in Japan known on Twitter as @nao_sec, and DogWalk, first reported to Microsoft in January 2020 but not acted upon - as described below - was rediscovered on Tuesday by a security researcher called @j00sean on Twitter.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Microsoft Support Diagnostics Tool is a utility built into Windows and designed to collect information to send to Microsoft for analysis by support personnel to help resolve problems.
Both Follina and DogWalk exploit vulnerabilities in the Microsoft Windows Support Diagnostic Tool. While Microsoft has not yet offered patches for the vulnerabilities, it has issued a workaround advisory to disable the MSDT URL protocol. The 0patch Blog also reports that a free micropatch is available for DogWalk.
Follina is a remote code execution vulnerability that Nao_sec researchers found when they flagged a malicious document that had been submitted to the malware-scanning service VirusTotal from an IP address in Belarus. The vulnerability "uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code," nao_sec says.
Two days later, security researcher Kevin Beaumont named this vulnerability Follina.
Microsoft was quick to acknowledged Follina, which is now known as CVE-2022-30190, on May 30. But instead of releasing a patch, it offered workaround guidance.
The advisory says the "remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."
Workaround for Follina
In its security advisory, Microsoft details a workaround that involves adjusting the registry key on a Windows system to disable the MSDT URL protocol, which will prevent the vulnerable functionality from being invoked. The workaround can later be disabled via a further registry key tweak.
Microsoft advises disabling the MSDT URL protocol as it "prevents troubleshooters being launched as links including links throughout the operating system." It says troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.
The following steps enable users to disable the protocol:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command
reg export HKEY_CLASSES_ROOTms-msdt filename.
- Execute the command
reg delete HKEY_CLASSES_ROOTms-msdt /f.
To undo the workaround, follow the steps below:
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command
reg import filename.
The DogWalk vulnerability was first publicly disclosed by security researcher Imre Rad in a January 2020 article titled "The trouble with Microsoft’s Troubleshooters." According to the article, this issue was reported to Microsoft, but the company said it was not a security issue worth fixing.
The bug was recently rediscovered and brought to public attention by security researcher @j00sean.
This is for sure an underrated 0day on Microsoft Support Diagnostics Tool. To summarize:— j00sean (@j00sean) June 2, 2022
1) Persistence by startup folder.
2) MOTW bypass.
3) Not flagged by chromium-based file downloaders (Chrome, Edge or Opera).
4) Defender bypass.
All-in-one. Enjoy!https://t.co/lgTnDSxYGM pic.twitter.com/UyNyEYlH4c
Workaround for DogWalk
While users wait for an official patch, 0patch - a microscopic binary patch distribution, application and removal solutions provider whose name is pronounced "zero patch" - is offering a free micropatching solution. On its blog, 0patch provides detailed instructions on how to apply the micropatch.