2 min read

DogWalk zero-day Windows bug receives patch - but not from Microsoft

Graham CLULEY

June 10, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
DogWalk zero-day Windows bug receives patch - but not from Microsoft

A Windows zero-day vulnerability dubbed "DogWalk" has not received an official patch yet from Microsoft, but that hasn't stopped others from offering free fixes to protect users.

The "DogWalk" flaw, which resides in Microsoft's Diagnostic Tool (MSDT) and affects all Windows versions going back as far as Windows 7 and Server 2008, was first disclosed to the public by security researcher Imre Rad in January 2020.

DogWalk is a path traversal flaw that could allow for files to be saved in locations on a file system without appropriate checks being taken.  As a result, malicious code could be dropped in the Startup folder of a Windows PC, which would then be executed the next time the user logs in.

At the time Microsoft said that it would not be fixing the bug as it did not view it as satisfying its vulnerability criteria, and "DogWalk" remained largely forgotten until last week when another flaw in MSDT that was being exploited in the wild  - "Follina" -  made the headlines of IT media outlets.

Although Microsoft may not feel that DogWalk is worthy of fixing, there are clearly organisations and individuals who would like the software on their computers to work properly and securely, and it is for them that the 0patch micropatching service released a collection of free, unofficial patches.

"Since this is a '0day' vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available," said 0patch's Mitja Kolsek.

Now, the million-dollar question is this: should you apply this third-party unofficial patch on your computer systems?

That's not a question that I can answer for you.  In an ideal world, you will always use the official security patch issued directly by the software's developer, rather than a third party.

But if your vendor hasn't released a patch - or even seems unwilling to believe that one is required - then you need to judge for yourself whether you feel your systems might be at risk if left undefended.

Whatever you decide, the best defence is a layered defence. Don’t just rely on a specific security patch but instead keep your IT systems and sensitive data defended with a variety of protection layers.  For instance, running an up-to-date anti-virus program, and ensuring that controls are in place to manage users' levels of access.

tags


Author


Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like

Bookmarks


loader