Surge in CVEs as Microsoft Fixes Exploited Zero Day Bugs

  • Microsoft addressed 121 vulnerabilities in the August 2022 Patch Tuesday update round, including two zero-day bugs.

    One of the zero-days, CVE-2022-34713, has been dubbed “DogWalk” and is a remote code execution bug in the Microsoft Windows Support Diagnostic Tool (MSDT) which has already been observed in attacks in the wild.

    “This is a user targeted vulnerability meaning the attacker can target the user with a variety of social engineering tactics such as sending a specially crafted file via email or convincing the user to click on hosted web content specially crafted to exploit the vulnerability,” explained Chris Goettl, Ivanti VP of product management.

    “The vulnerability affects all Windows OS versions and is rated as ‘important’ by Microsoft. Due to the public disclosure and known attacks targeting the vulnerability, it is recommended to treat this as a higher priority.”

    Qualys director of vulnerability and threat research, Bharat Jogi, said DogWalk had actually been reported back in 2019 but at the time was not thought to be dangerous as it required “significant user interaction to exploit,” and there were other mitigations in place.

    However, the appearance of the novel Follina zero day, which also exploits MSDT, forced Microsoft to reconsider, he said.

    The second zero-day (CVE-2022-30134) is an information disclosure vulnerability in Exchange Server that is regarded as less serious because the public disclosure doesn’t provide functional exploit code. Microsoft has provided more details on how to fix it here.

    Aside from these two flaws, Microsoft fixed 17 critical CVEs, a 325% increase on July’s figures.

    These include two RCE bugs in the Windows Point-to-Point Tunneling Protocol which have a CVSS score of 9.8: CVE-2022-30133 and CVE-2022-35744.

    “These vulnerabilities enable a network attack that does not require any action from the user. The attack is exploited on port 1723, causing remote execution of malicious code,” explained Action1 co-founder, Mike Walters.

    “If you have a Windows Server-based remote access server (RAS) tunnel running on this port, you should change it to a less popular port. But be careful or it will cause your tunnels to fail to connect properly. Do it wisely on both sides.”