Microsoft Patches Zero-Day Actively Exploited in the Wild

Microsoft patched 118 vulnerabilities in its software products and components on Aug. 9, including a flaw that attackers have exploited in the wild to run malicious code when users click on a link, according to security experts. 

The patches, part of Microsoft's regularly scheduled Patch Tuesday, fixed the zero-day vulnerability (CVE-2022-34713) and a second remote code execution (RCE) vulnerability (CVE-2022-35743) in the Microsoft Support Diagnostic Tool (MSDT) that has not yet been exploited. 

The MSDT vulnerabilities are a variant of an issue that researchers have called "DogWalk," public discussion of which began about 18 months ago, although it has been exploited only recently, Satnam Narang, a staff research engineer at cybersecurity firm Tenable, tells Dark Reading.

The MSDT vulnerabilities give attackers the ability to use the MSDT protocol through a URL contained in a document — such as a Microsoft Office Word file — that, when clicked, will execute code in the security context of the application.

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," Microsoft stated in its advisory for the previous MSDT exploit. "The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."

Security teams that cannot apply the patch can disable the MSDT URL protocol, update their Microsoft Defender detections, or rely on Protected View and Application Guard for Office to prevent the current attacks.

The zero-day vulnerability, and a previous one exploited in May, are being used by attackers in phishing campaigns, Narang says.

"[I]t would appear that attackers are looking to take advantage of flaws within MSDT as these types of flaws are extremely valuable to launch spear-phishing attacks," he says. "We've seen flaws ... continue to be exploited years after patches have been made available. Therefore, it is vital that organizations apply the available patches as soon as possible."

Security Teams Wrestle with Patching Tsunami

The tranche of updates fixes 17 vulnerabilities rated critical and 101 rated important. Elevation-of-privilege issues dominated the patches, accounting for 64 of the CVEs, while RCE vulnerabilities make up 31 of the 118 security issues fixed in the software updates, according to Tenable's analysis of the updates. Information-disclosure vulnerabilities account for 12 of the patched vulnerabilities, and denial-of-service issues account for seven vulnerabilities. Another three vulnerabilities allowed security features to be bypassed.

The vulnerabilities — along with another 25 flaws issued by Adobe on the same day and nearly 20 issues released for Microsoft's Edge browser on Friday — highlight the workload faced by security teams on Patch Tuesday. 

"The volume of fixes released this month is markedly higher than what is normally expected in an August release," Dustin Childs, security communications manager for Trend Micro's Zero Day Initiative, wrote in a review of the updates released on Patch Tuesday. "It’s almost triple the size of last year's August release, and it's the second largest release this year."

Some companies have reported that Microsoft fixed 121 flaws, rather than 118, but that tally includes three issues in Windows Secure Boot that previously were reported through the CERT Coordination Center and are updates to third-party drivers, according to Tenable's analysis.

While the MSDT vulnerabilities are the most critical to fix, more than a third of the vulnerabilities fixed by the patches occur in local components of Microsoft Azure, including 34 vulnerabilities in Azure Site Recovery software, eight flaws in the Azure Real Time Operating Systems, and a single vulnerability for Azure Sphere and the Azure Batch Node Agent.

The updates also fix vulnerabilities in the code handling older tunneling protocols, such as Point-to-Point Protocol (PPP) and Secure Socket Tunneling Protocol (SSTP), including four vulnerabilities affecting Windows PPP and nine affecting the SSTP functionality.

"These are older protocols that should be blocked at your perimeter," Trend Micro's Childs wrote in the ZDI analysis of the patches. "However, if you're still using one of these, it’s probably because you need it, so don’t miss these patches."

Adobe Patch Tuesday

Microsoft is not the only company to drop significant monthly patches. Adobe also published updates to fix 25 vulnerabilities in five different products, including Adobe Commerce, Adobe Acrobat and Reader, Adobe Illustrator, Adobe FrameMaker, and Adobe Premier Elements.

"None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release," Childs wrote. "Adobe categorizes the majority of these updates as a deployment priority rating of 3, with the Acrobat patch being the lone exception at 2."