Patch Day: Microsoft closes nasty Follina gap in diagnostic tool
Microsoft fixed a total of 56 vulnerabilities on Tuesday’s update in June. These include three vulnerabilities that Microsoft classifies as critical and one 0-day vulnerability.
On Patch Day on June 14, Microsoft provided a number of updates that fix 56 vulnerabilities. That is significantly less than in the previous month. Microsoft classifies three vulnerabilities as critical and the rest, with the exception of one vulnerability, as high risk. The gaps affect Windows, Office, Hyper-V and Azure, among others. One vulnerability (CVE-2022-30190) is already being used for attacks. Microsoft offers sparse details on the vulnerabilities to look for yourself in the security update guide. Dustin Childs prepares the topic of Update Tuesday in a much clearer way in the Trend Micro ZDI blog – always with an eye on admins who look after company networks.
The most recent security update for Edge (Chromium) is version 102.0.1245.41, which Microsoft made available shortly before Patch Day. It is based on Chromium 102.0.5005.124 and fixes several Chromium vulnerabilities. Google released a security update for Chrome last week.
Internet Explorer has had its day as a desktop browser in Windows. With the Windows updates in June, Microsoft is removing the browser dinosaur. It is still available as an IE mode in Edge for special cases. However, IE components used by other software remain and will continue to be maintained with security updates.
In June, Microsoft closed seven vulnerabilities in its Office products, all of which are classified as high risk. Four of the vulnerabilities are suitable for injecting and executing code with prepared Office documents (RCE: Remote Code Execution). One of these vulnerabilities (CVE-2022-30173) is in Excel. Two other RCE vulnerabilities (CVE-2022-30157 and -30158) are in Sharepoint Server.
Several Windows vulnerabilities
The majority of vulnerabilities, 40 this month, are spread across the various versions of Windows (8.1 and newer), for which Microsoft still offers security updates for all. Windows 7 and Server 2008 R2 are still mentioned in the security reports, but only organizations participating in the paid ESU program will receive updates.
Follina gap plugged
Difficult to find in Microsoft’s update guide (even if you search for it specifically) is the RCE vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), which has been exploited for weeks for weeks, also known as the “Follina” vulnerability (CVE-2022-30190). ) known. Attackers send specially crafted Office documents. When a recipient opens such a file, code is executed that exploits this vulnerability in the MSDT to download and execute malicious code from the network. All versions of Windows that are still supported are affected, including servers. The June updates bring a remedy.
As in May, Microsoft also eliminates several RCE vulnerabilities in its implementation of the Lightweight Directory Access Protocol (LDAP) in June. Microsoft classifies one of the vulnerabilities (CVE-2022-30139) as critical and the other six as high risk. The CVE-2022-30136 vulnerability in the Windows Network File System (NFS) is also considered critical. Unlike May, NFSv4.1 is affected this time.
In Microsoft’s Hyper-V virtualization solution, the manufacturer has closed the CVE-2022-30163 vulnerability, which has been identified as critical. Code in the guest could break out of the virtual machine and run on the host.
Anyone who uses the video extensions from the Microsoft Store for the AV1 and HEVC formats should once again make sure that they also receive the updates from the store. This is usually the case for computers with Internet access. Two RCE vulnerabilities affect AV1, four HEVC (H.265). There is also a vulnerability in Windows Media Center (CVE-2022-30135), which, if exploited, could give an attacker elevated privileges.
Extended Security Updates (ESU)
Companies and organizations that participate in Microsoft’s paid ESU program to secure systems running Windows 7 or Server 2008 R2 will receive updates this month that close 20 vulnerabilities. Among them is a critical vulnerability with CVE-2022-30163 (Hyper-V).
Also in June there is a new Windows tool for removing malicious software. The next scheduled update Tuesday is July 12, 2022.