Microsoft today issued a patch for the recently disclosed and widely exploited “Follina” zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) as part of its scheduled security update for June.
The patch is among the more significant of the 60 security updates that the company released in total today to address vulnerabilities across its product portfolio. Microsoft assessed three of the bugs as being of critical severity: CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS); CVE-2022-30163, an RCE in Windows Hyper-V; and CVE-2022-30139, a remote code execution flaw in the Windows Lightweight Access Protocol.
Microsoft assessed most of the other vulnerabilities — including many remote code execution bugs — as “important.”
Affected products included Windows, Office, Edge, Visual Studio, Windows Defender, SharePoint Server, and the Windows Lightweight Directory Access Protocol.
Fix for Follina Flaw
Security experts identified the patch for the Follina vulnerability (CVE-2022-30190) as a priority due to how actively the bug is being exploited in the wild. The MSDT bug — disclosed on May 30 — basically gives attackers a trivially easy way to execute code remotely via Office documents, even when macros are disabled. Microsoft has warned of the vulnerability allowing attackers to view or delete data, install programs, and create new accounts on compromised systems. Cyberattacks exploiting the flaw were reported at least one month prior to Microsoft’s May 30 announcement and have since then grown, fueled by the public availability of exploit code.
Andy Gill, senior security consultant at Lares Consulting, says Microsoft’s new patch for Follina prevents code injection. However, exploit code will still launch msdt.exe, he says. “Therefore, while the main risk of code execution is mitigated the software is still launched,” he says.
Johannes Ullrich, dean of research at the SANS Institute, says it’s a good idea therefore for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. “Users applying the monthly rollup will be protected but need to realize that the patch fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document.
“Follina has been actively exploited for a couple weeks now,” Ullrich says. “[Microsoft’s] workaround, will prevent msdt.exe from launching [and] should probably stay in place if it doesn’t cause any problems.”
Three Critical Flaws to Patch Now
In a blog post, Dustin Childs, communications manager at Trend Micro’s Zero Day Initiative, described the critical CVE-2022-30136 vulnerability as “eerily similar” to an NFS bug that Microsoft patched last month (CVE-2022-26937) that allows attackers to execute privileged code on vulnerable systems. Attackers can exploit the flaw by sending specially crafted RPC calls to a vulnerable server, according to ZDI. The only apparent difference in the patches is that this month’s update fixes the bug in NFS V4.1, while last month’s update pertained to two older NFS versions, he said.
“It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix,” Childs said.
Ullrich says this marks the third month in a row where Microsoft has issued an update to address a critical security vulnerability in NFS. “But the component is not enabled by default and so far, we do not see any exploits for these vulnerabilities,” he says.
The remote code execution vulnerability in Windows Hyper-V (CVE-2022-30163) is another patch to apply ASAP, security researchers said. Kevin Breen, director of cyber threat research at Immersive, identified it as a vulnerability that is likely going to be of high value to attackers if a method for easily exploiting it is discovered. The flaw basically gives attackers a way to move from a guest virtual machine to the host in order to access all running VM machines on that system. However, exploiting the flaw — at least presently — is complex and requires the attacker to win an unspecific race condition, Breen said in emailed comments.
Meanwhile, the third critical flaw (CVE-2022-30139) is one of seven LDAP flaws that Microsoft patched this month. Though the flaw is difficult to exploit, it is one in a growing number of security issues uncovered in the directory technology. In May, for instance, Microsoft issued patches for 10 LDAP flaws, Childs said. The volume of LDAP bugs in recent months makes LDAP an attractive attack target for threat actors, he noted.
Childs also cited CVE-2022-30148, an information disclosure vulnerability in the Windows Desired State Configuration feature. The flaw is important because attackers could use it to — among other things — recover usernames and plaintext passwords from log file. “Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, they are likely some sought-after username/password combos that could be recovered,” Childs wrote. The bug also facilitates lateral movement so organization using DSC need to implement Microsoft’s fix for it, he said.
‘Dig a Bit Deeper’
ZDI’s analysis shows that more than half the vulnerabilities that Microsoft disclosed today are remote code execution issues. Twelve updates address elevation of privilege bugs, several of which require attackers to already have access on a system and run specially crafted code.
Breen, meanwhile, identified several other vulnerabilities organizations should address. These include two remote execution flaws in Microsoft SharePoint Server (CVE-2022-30157 and CVE-2022-30158) that enable data theft, replace documents with malicious ones, and carry out other malicious activities. Also important in the June roundup is CVE-2022-30147, a local privilege escalation flaw in Windows Installer, which Microsoft has assigned a severity rating of 7.8. That rating belies the danger these kinds of flaws present because threat actors almost always use them in attacks, Breen said.
Chris Goettl, senior director of product management at Ivanti, advises organizations to pay attention to CVE-2022-26925, a spoofing vulnerability in the Windows LSA function for enforcing security policies. The vulnerability gives attackers a way to authenticate to domain controllers and impacts all Windows servers. Microsoft has recommended that organizations prioritize domain controllers when applying the security update.
The vulnerability has been publicly disclosed and vulnerabilities for it have been detected in the wild, Goettl says.
“The vulnerability by itself is only rated as Important by Microsoft, and the exploit code maturity is listed as unproven,” Goettl says. “But dig a bit deeper and the vulnerability is much more threatening. The vulnerability has been detected in attacks, so while code samples available publicly may be unproven, there are working exploits being used.”
Goettl also recommends that organizations review Microsoft’s FAQ for the scheduled retirement of Internet Explorer 11 desktop app on June 15, right after Patch Tuesday.
The FAQ answers many questions on what organizations can expect when the IE11 application will be disabled, and how that affects different versions of Windows including the LTSC enterprise edition of Windows, It also offers details on configuring IE mode in the Microsoft Edge browser to support legacy applications that require IE11, and more, Goettl says.