Despite issuing patches for just 60 security bugs this month, Microsoft’s June Patch Tuesday release include a fix for Follina, a dangerous remote code execution zero-day in the company’s Windows Support Diagnostic Tool that is being actively exploited.
According to Microsoft, attackers who successfully exploit the bug, tracked as CVE-2022-30190, can run arbitrary code with the privileges of the calling application, and install programs, view change or delete data, or create new accounts in the context allowed by the user’s rights.
The bug is being exploited in the wild, security researchers say, and Microsoft confirms. The vulnerability appears to affect all supported versions of Windows.
The remote code execution (RCE) vulnerability was first discovered late last month by security researchers. Microsoft advised organizations to disable the MSDT URL Protocol to prevent troubleshooters from being launched as links, including links throughout the operating system, but troubleshooters can still be accessed using the Get Help application and in system settings.
With the release of a patch, admins should prioritize the testing and deployment of this one quickly.
Other bugs to note include CVE-2022-30136, a Windows Network File System (NFS) RCE bug that could allow a remote attacker to execute privileged code on an affected system running NFS. Microsoft gives this bug a CVSS of 9.8, so it is another one to test and deploy quickly.
According to Zero Day Initiative, the vulnerability research arm of cybersecurity firm Trend Micro, this bug is similar to CVE-2022-26937, another NFS bug patched last month. The only difference is that this month’s update fixes a flaw in NFSV4, whereas last month’s bug only affected NFSV2.0 and 3.0.
Claire Tills, a senior research engineer at vulnerability management firm Tenable, tells TechDecisions that Microsoft’s proposed workaround of disabling NFS version 4.1 could have averse affects on systems, especially for organizations that have not yet applied last month’s NFS patch.
Another patch IT should prioritize is CVE-2022-30163, an RCE in Windows Hyper-V that could allow a user on a Hyper-V guest to run their code on the underlying Hyper-V host OS.
In a blog, ZDI says that the update doesn’t list the privileges the attacker’s code would run at, but any guest-to-host escape should be taken seriously.
“Microsoft notes that attack complexity is high since an attacker would need to win a race condition,” ZDI blogs. “However, we have seen many reliable exploits demonstrated that involve race conditions, so take the appropriate step to test and deploy this update.”
The last bug highlighted by ZDI, CVE-2022-30148, is a Windows Desired State Configuration information disclosure vulnerability that could be used by an attacker to recover login credentials from log files. Desired State Configuration is often used by system administrators to maintain machine configurations in an enterprise, so attackers could access some high-value usernames and passwords.
“This would also be a great bug for an attacker to move laterally within a network. If you’re using DSC, make sure you don’t miss this update,” ZDI notes.
Microsoft also issued patches for seven LDAP RCE bugs, including one with a CVSS of 9.8.
Aside from those four bugs and the seven LDAP flaws, also notable is the fact that Microsoft did not issue any patches for Print Spooler for the first time in several months after the PrintNightmare bug was discovered.
Read ZDI’s blog for more information on the other vulnerabilities patched in this release, as well as 46 Adobe vulnerabilities patched.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply