Microsoft on Tuesday released a critical-severity bulletin to warn of a newly discovered zero-day attack exploiting a remote code execution vulnerability in its flagship Windows operating system.
The vulnerability, tracked as CVE-2022-34713, affects the Microsoft Windows Support Diagnostic Tool (MSDT) and has been exploited by attackers tricking users into opening or interacting with specially crafted files.
Redmond confirmed pre-patch exploitation of the issue and acknowledged it is a variant of Dogwalk, a different security flaw that was publicly discussed in June this year.
Microsoft has struggled over the last year with security problems in the diagnostics tool. In May, the company’s security response team issued public guidance on the ongoing issues and the company believes there is an increase in hacker eyeballs looking for defects in the MSDT utility.
[ READ: Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader ]
The CVE-2022-34713 headlines a massive Microsoft Patch Tuesday that provides cover for at least 120 documented flaws in Windows and operating system components.
According to Zero Day Initiative, a company that closely tracks software flaw warnings, this is in addition to the 17 CVEs patched in Microsoft Edge (Chromium-based) and three patches related to secure boot from CERT/CC. That brings the total number of CVEs to 141.
Of the 121 new vulnerabilities patched in this monthly batch, 17 are rated ‘critical’ and 102 are rated ‘important’. In addition to the zero-day under attack, Microsoft listed two of these vulnerabilities as publicly known.
Security experts are urging Windows fleet administrators to pay special attention to three of the bulletins that carry CVSS 9.8/10 severity scores. These include CVE-2022-30133 and CVE-2022-35744 that fix RCE problems in the Windows Point-to-Point Protocol (PPP); and CVE-2022-34691 that addresses a major privilege escalation issue in Active Directory Domain Services.
Related: Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader
Related: Microsoft Publishes Office Symbols to Improve Bug Hunting
Related: ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities
Related: Black Hat 2022: Ten Presentations Worth Your Time and Attention
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Backslash Snags $8M Seed Financing for AppSec Tech
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
- Rapid7 Buys Anti-Ransomware Firm Minerva Labs for $38 Million
- Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
- Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
Latest News
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
