Late Fix For Follina on Microsoft Patch TuesdayActively Exploited Zero-Day Addressed, Plus 3 Critical RCE Exploits
Microsoft’s June Patch Tuesday finally plugs a zero-day exploit after months of warnings from security researchers about a vulnerability that allows hackers to take control of Windows machines via a word processor.
Earlier this year Microsoft said that beginning in July, customers with E3 licenses or above will be able to opt in to use Windows Autopatch, which will help administrators manage and deploy updates with rolling, automatic updates rather than manual security fixes. June's Patch Tuesday includes a belated repair for CVE-2022-30190, a remote code execution vulnerability named Follina by security researcher Kevin Beaumont due to numerical overlap from a file reference with the area code of a small Italian town.
The vulnerability works when actors send malicious Office files such as a Word document containing a link to a HTML file that executes code in the Microsoft Support Diagnostic Tool. It works even with macros disabled and when previewing, rather than opening, an Office file. Microsoft warns that an attacker who exploits Follina "can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights."
Until today, Microsoft's solution was to have system administrators disable the Microsoft Support Diagnostic Tool's ability to retrieve webpages.
CVE-2022-30190 was found by cybersecurity researchers in Japan, known on Twitter as @nao_sec, on May 27. They flagged a malicious document that had been submitted to the malware-scanning service VirusTotal from an IP address in Belarus. The vulnerability, @nao_sec said at the time, used "Word's external link to load the HTML and then used the 'ms-msdt' scheme to execute PowerShell code" (see: Microsoft Office: Attackers Injecting Code Via Zero-Day Bug).
"This vulnerability has been under attack for several months. This vulnerability fix must have been a late addition this month because although it shows up in the Vulnerabilities list of the Security Guide, it was not shown in the breakdown of CVEs for each patch," says Todd Schell, principal product manager at cybersecurity firm Ivanti.
Cybersecurity firm Proofpoint earlier this month detected attackers suspected of alignment with an unnamed state actor attempting to use Follina to attack European and local U.S. government entities. In late May, it reported that hackers linked to the Chinese government had launched a campaign of sending malicious Word documents putatively from Central Tibetan Administration, the Tibetan government in exile in Dharamshala, India.
Among the other five dozen security holes plugged in June’s Patch Tuesday are vulnerabilities affecting Microsoft Windows and Windows components; Microsoft Office and Office components; .NET and Visual Studio; Microsoft Edge (Chromium-based); SharePoint server; Windows Defender; Windows Lightweight Directory Access Protocol; Windows Hyper-V Server; Windows App Store; Azure OMI, Real-Time Operating System and Service Fabric Container; and Windows Powershell.
The fixes address vulnerabilities such as privilege escalation, remote code execution, spoofing, denial of service, security feature bypass and information disclosure, the patch update page shows.
The three remote code execution rated as "critical" on the severity scale are as follows:
This is a Windows Network File System RCE exploit with a CVSS score of 9.8. This vulnerability allows remote attackers to execute privileged code on affected systems running Network File System. "The NFS service on Windows is not enabled by default, but that's no reason to be complacent. With a score of 9.8, if you're sharing files and file systems over a network with NFS, this should be high on the list to patch," says Kev Breen, director of cyberthreat research at cybersecurity firm Immersive Labs.
This is a Windows Hyper-V RCE with a CVSS score of 8.5. This bug "allows a user on a Hyper-V guest to run their code on the underlying Hyper-V host OS," says Dustin Childs, a security analyst at Zero Day Initiative, which is run by cybersecurity firm Trend Micro. Exploitation of this flaw would allow an attacker to move from a guest virtual machine to the host and access all running virtual machines.
"Microsoft has marked this vulnerability as less likely to be exploited. This is probably because the complexity is high and requires an attacker to win a race condition. What that condition is, is not disclosed. This one will be of high value to attackers if a method of easily exploiting it is discovered," says Breen.
This is a Windows Lightweight Directory Access Protocol RCE vulnerability with a CVSS score of 6.5. "Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability," Microsoft says.
Other Key Vulnerabilities
Other key vulnerabilities addressed in the Patch Tuesday update include CVE-2022-30157 and CVE-2022-30158. Both of these are Microsoft SharePoint Server RCE vulnerabilities and have a CVSS score of 8.8.
These would likely be abused by an attacker "who already has the initial foothold to move laterally across the network," says Breen. "This could affect organizations that use SharePoint for internal wikis or document stores. Attackers might exploit this vulnerability to steal confidential information, replace documents with new versions that contain malicious code, or create macros to infect other systems."
CVE-2022-30147, a Windows Installer Elevation of Privilege vulnerability with a CVSS score of 7.8, is marked as "more likely to be exploited" by Microsoft. This vulnerability is a local privilege escalation vulnerability that can be exploited on both desktop and server environments.
Breen says: "While the CVSS score is only a 7.8, this kind of vulnerability is almost always seen during a cyberattack. Once an attacker has gained initial access, they can elevate that initial level of access up to that of an administrator, where they can disable security tools. In the case of a ransomware attack, this leverages access to more sensitive data before encrypting the files."
End of an Era
Starting in July, for some administrators, the second Tuesday of every month will become just be another Tuesday. The technology giant, which has released patches for vulnerabilities in its software on the second Tuesday of every month since 2016, is set to enable administrators to opt in to automatic updates.
Windows Autopatch, set to be released in July for enterprise customers, will allow Microsoft to patch bugs for its users without any effort on the users' part. Windows Autopatch is also offered as a feature in Windows 10/11 Enterprise (see: Patch Tuesday to End; Microsoft Announces Windows Autopatch).