Application Security , Governance & Risk Management , Incident & Breach Response

No Patch Yet For Follina And DogWalk Windows 0-Days

Workaround Guidance, Temporary Fix Now Available for the Vulnerabilities
No Patch Yet For Follina And DogWalk Windows 0-Days
Image: Microsoft

Microsoft has not yet released patches for two zero-days that exploit vulnerabilities in the Microsoft Windows Support Diagnostic Tool. Follina was discovered on May 28 by a cybersecurity team in Japan known on Twitter as @nao_sec, and DogWalk, first reported to Microsoft in January 2020 but not acted upon - as described below - was rediscovered on Tuesday by a security researcher called @j00sean on Twitter.

See Also: Is Cyberstorage the New Paradigm for Data Security?

The Microsoft Support Diagnostics Tool is a utility built into Windows and designed to collect information to send to Microsoft for analysis by support personnel to help resolve problems.

Both Follina and DogWalk exploit vulnerabilities in the Microsoft Windows Support Diagnostic Tool. While Microsoft has not yet offered patches for the vulnerabilities, it has issued a workaround advisory to disable the MSDT URL protocol. The 0patch Blog also reports that a free micropatch is available for DogWalk.

Follina Vulnerability

Follina is a remote code execution vulnerability that Nao_sec researchers found when they flagged a malicious document that had been submitted to the malware-scanning service VirusTotal from an IP address in Belarus. The vulnerability "uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code," nao_sec says.

Two days later, security researcher Kevin Beaumont named this vulnerability Follina.

Microsoft was quick to acknowledged Follina, which is now known as CVE-2022-30190, on May 30. But instead of releasing a patch, it offered workaround guidance.

The advisory says the "remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."

Workaround for Follina

In its security advisory, Microsoft details a workaround that involves adjusting the registry key on a Windows system to disable the MSDT URL protocol, which will prevent the vulnerable functionality from being invoked. The workaround can later be disabled via a further registry key tweak.

Microsoft advises disabling the MSDT URL protocol as it "prevents troubleshooters being launched as links including links throughout the operating system." It says troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.

The following steps enable users to disable the protocol:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command reg export HKEY_CLASSES_ROOTms-msdt filename.
  3. Execute the command reg delete HKEY_CLASSES_ROOTms-msdt /f.

To undo the workaround, follow the steps below:

  1. Run Command Prompt as Administrator.
  2. To restore the registry key, execute the command reg import filename.

DogWalk Vulnerability

The DogWalk vulnerability was first publicly disclosed by security researcher Imre Rad in a January 2020 article titled "The trouble with Microsoft’s Troubleshooters." According to the article, this issue was reported to Microsoft, but the company said it was not a security issue worth fixing.

The bug was recently rediscovered and brought to public attention by security researcher @j00sean.

Workaround for DogWalk

While users wait for an official patch, 0patch - a microscopic binary patch distribution, application and removal solutions provider whose name is pronounced "zero patch" - is offering a free micropatching solution. On its blog, 0patch provides detailed instructions on how to apply the micropatch.

About the Author

Brian Pereira

Brian Pereira

Sr. Director - Editorial, ISMG

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.