2 min read

DogWalk zero-day Windows bug receives patch - but not from Microsoft

Graham CLULEY

June 10, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
DogWalk zero-day Windows bug receives patch - but not from Microsoft

A Windows zero-day vulnerability dubbed "DogWalk" has not received an official patch yet from Microsoft, but that hasn't stopped others from offering free fixes to protect users.

The "DogWalk" flaw, which resides in Microsoft's Diagnostic Tool (MSDT) and affects all Windows versions going back as far as Windows 7 and Server 2008, was first disclosed to the public by security researcher Imre Rad in January 2020.

DogWalk is a path traversal flaw that could allow for files to be saved in locations on a file system without appropriate checks being taken.  As a result, malicious code could be dropped in the Startup folder of a Windows PC, which would then be executed the next time the user logs in.

At the time Microsoft said that it would not be fixing the bug as it did not view it as satisfying its vulnerability criteria, and "DogWalk" remained largely forgotten until last week when another flaw in MSDT that was being exploited in the wild  - "Follina" -  made the headlines of IT media outlets.

Although Microsoft may not feel that DogWalk is worthy of fixing, there are clearly organisations and individuals who would like the software on their computers to work properly and securely, and it is for them that the 0patch micropatching service released a collection of free, unofficial patches.

"Since this is a '0day' vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available," said 0patch's Mitja Kolsek.

Now, the million-dollar question is this: should you apply this third-party unofficial patch on your computer systems?

That's not a question that I can answer for you.  In an ideal world, you will always use the official security patch issued directly by the software's developer, rather than a third party.

But if your vendor hasn't released a patch - or even seems unwilling to believe that one is required - then you need to judge for yourself whether you feel your systems might be at risk if left undefended.

Whatever you decide, the best defence is a layered defence. Don’t just rely on a specific security patch but instead keep your IT systems and sensitive data defended with a variety of protection layers.  For instance, running an up-to-date anti-virus program, and ensuring that controls are in place to manage users' levels of access.

tags


Author



Right now

Top posts

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Capital One Hacker Found Guilty of Wire Fraud, Faces More than 20 Years in Prison Capital One Hacker Found Guilty of Wire Fraud, Faces More than 20 Years in Prison
Silviu STAHIE

June 22, 2022

1 min read
DDoS-for-hire service which bombarded websites with attacks earns man two years in prison DDoS-for-hire service which bombarded websites with attacks earns man two years in prison
Graham CLULEY

June 15, 2022

2 min read
DogWalk zero-day Windows bug receives patch - but not from Microsoft DogWalk zero-day Windows bug receives patch - but not from Microsoft
Graham CLULEY

June 10, 2022

2 min read