Microsoft Zero-Day Vulnerability Exploits
Still Unpatched One Now Patched
Cybersecurity is a fascinating and complicated world. It seems like every day there are news reports about a new threat of some kind, or a successful attack resulting in loss of data, loss of reputation, or loss of cash. A new Microsoft zero-day vulnerability, or from any vendor for that matter, is commonplace nowadays. The quality and accuracy of these reports vary, but if you read enough of them you’ll see a few familiar storylines repeating themselves.
One of the most common stories goes like this: a smart researcher discovers a new zero-day exploit and warns the affected vendor. The vendor responds—sometimes quickly, sometimes slowly. While the vendor’s responding and its customers are applying whatever remediations they can, attackers are already putting the zero-day to nefarious use. A fun variant of this storyline is when the vendor drags their feet, dismisses the problem, or otherwise fails to act in a timely manner… which brings me to the subject of this column: a Microsoft zero-day vulnerability times two called Follina and DogWalk. As of June’s Patch Tuesday, Follina is now patched and DogWalk is still, well out on a walk!
In late May 2022, security researcher Kevin Beaumont described an exploit he named “Follina.” The exploit, which at the time wasn’t caught by Windows Defender, allows an infected Word document to “…[use] the Word remote template feature to retrieve an HTML file from a remote web server, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” The “MSDT” in the preceding sentence refers to the Microsoft infrastructure for running “troubleshooters,” small utilities bundled with Windows 10 and later (including Windows Server 2019) that are supposed to help you resolve common problems with sound devices, printers, and so on.
The result of this Microsoft zero-day vulnerability: opening an infected document would download and run arbitrary PowerShell of the attacker’s choice on your Windows machine. Ooooops. The timeline in Beaumont’s post is super interesting. This vulnerability seems to have first been publicly discussed as the subject of an undergraduate thesis in August 2020. In March 2021, it was reported to Microsoft as a security vulnerability in Microsoft Teams in March 2021. Microsoft patched the issue but only in Teams; the issue resurfaced in March 2022 and, at that point, it began to be exploited by nation-state-affiliated APT groups.
As of June 7th, Microsoft hasn’t released a patch. Follina is now patched in the June 14 Patch Tuesday release. They did add Follina signatures to Defender Vulnerability Management and Defender antivirus tools.
The Microsoft security research center article covering this issue contains a manual mitigation: delete the HKEY_CLASSES_ROOT\ms-msdt registry subtree. This still lets you run troubleshooters from within Windows, but doesn’t allow them to be launched via URLs. The problem is that this is a pretty manual step.
Beaumont suggests creating a Group Policy to disable the setting that enables troubleshooter access altogether: create a new policy in the Group Policy editor and, under the Computer Configuration node, expand Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics, Under that category, set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled,” then distribute the policy as appropriate. Until Microsoft releases a formal patch to the affected versions of Windows and Office (which, at this point, looks like it’s Office 2013, 2016, 2019, 2021, Office Pro Plus, and Office 365 in the semi-annual channel), this mitigation is probably your best bet. Microsoft says in their CVE article that this mitigation doesn’t fix the problem, but Beaumont says it does, and in this case, my money’s on him.
Microsoft also says that you can use Defender for Endpoint to apply the “Block all Office applications from creating child processes” rule, assuming that you’ve purchased licenses that let you run Defender for Endpoint.
Introducing DogWalk, Which is Worse
In summary: Follina is a bad Microsoft zero-day vulnerability. But, as is often the case, it turns out there was (at least) one more related problem that’s worse. This exploit, nicknamed DogWalk, was reported to Microsoft in January 2020 by researcher Imre Rad. Microsoft determined that this wasn’t a real security threat because it requires the victim to open a file (in this case, a .CAB archive containing a diagnostics configuration file). As it turns out, however, that initial assessment may not have been correct. That’s because, as Rad describes, it’s possible to get a malicious implant delivered to the logged-in user’s Startup folder so that it runs each time the user logs in—the user does have to download a file, but the file itself is of a type that won’t be checked by Windows SmartScreen when it’s downloaded through Edge or Chrome. This is possible because the Microsoft diagnostic tool (for which the “msdt” protocol handler is named!) is vulnerable to a path-traversal attack, where a specially constructed Windows file path is used to read or write files that are supposed to be unavailable to the caller. As a Twitter user named j00sean shows in this video, a user who can be tricked into downloading and trying to open the malformed CAB archive will actually be installing persistent malware that isn’t currently detected by Defender.
The bad news is that there’s no current mitigation for DogWalk. An effective fix will require Microsoft to fix the MSDT subsystem so that it’s not vulnerable to the path-traversal attack. There are two other mitigations that Microsoft might apply faster:
- Make MSDT honor the so-called “mark of the web” flag that Windows uses to mark executables that were downloaded from the Internet. This flag is why Windows Explorer asks you “are you sure you want to open this file?” when you try to open an executable file you’ve downloaded from your browser.
- Add detection of this specific vulnerability to Defender and Defender for Endpoint.
The only other mitigation available right now comes from a company called 0patch, which makes a nifty in-memory patching tool that applies what the company calls “micropatches” to running executables. Once you install the 0patch agent, it will download patches for the executables on your machine, automatically applying them when the executable runs without modifying the on-disk copy (and thus avoiding most types of file-based anti-malware checks). It’s a neat idea, particularly because the company has released micropatches to fix vulnerabilities in Windows Server 2008 R2 and Windows 7 as well as Windows 10. However, it’s not a good look that you have to use a third-party solution to patch a Microsoft bug.
What Happens Next?
Zero-days are a fact of life now. Attackers and security experts both have extremely strong incentives to find them, and it’s often the case that even when a vendor gets a timely notification, they don’t realize (or agree with) the potential severity of a vulnerability and thus don’t fix it in a timely manner. The best thing you can do to protect yourself is to ensure that you have good anti-malware coverage and that, no matter what endpoint detection and response tools you have installed, you’ve got them correctly configured and widely deployed. The fact that there were two MSDT vulnerabilities floating around for more than two years should hopefully be a wakeup call to the teams at Microsoft that work on those components, but it does raise the question of whether there are more lurking horrors buried in MSDT… and what application or component the next zero-day that we cover at Practical 365 will attack.
Oh and now you can patch Follina!
Listen to Paul Robichaux and Steve Goodman discuss these zero-day vulnerabilities in the latest Practical 365 Podcast: Zero Days, Entra, Teams API Charges, Exchange Futures & More: Practical 365 Podcast S3 Ep. 4.
Learn more about Microsoft Defender from these various articles on Practical 365: