June 15, 2022

Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that’s seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.

Three of the bugs tackled this month earned Microsoft’s most dire “critical” label, meaning they can be exploited remotely by malware or miscreants to seize complete control over a vulnerable system. On top of the critical heap this month is CVE-2022-30190, a vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows.

Dubbed “Follina,” the flaw became public knowledge on May 27, when a security researcher tweeted about a malicious Word document that had surprisingly low detection rates by antivirus products. Researchers soon learned that the malicious document was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.

“What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack,” writes Mayuresh Dani, manager of threat research at Qualys. “Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.”

Kevin Beaumont, the researcher who gave Follina its name, penned a fairly damning account and timeline of Microsoft’s response to being alerted about the weakness. Beaumont says researchers in March 2021 told Microsoft they were able achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.

Beaumont said other researchers on April 12, 2022 told Microsoft about active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it wasn’t a security issue. Microsoft finally issued a CVE for the problem on May 30, the same day it released recommendations on how to mitigate the threat from the vulnerability.

Microsoft also is taking flak from security experts regarding a different set of flaws in its Azure cloud hosting platform. Orca Security said that back on January 4 it told Microsoft about a critical bug in Azure’s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure.

In an update to their research published Tuesday, Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.

“In previous cases, vulnerabilities were fixed by the cloud providers within a few days of our disclosure to the affected vendor,” wrote Orca’s Avi Shua. “Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”

Amit Yoran, CEO of Tenable and a former U.S. cybersecurity czar, took Microsoft to task for silently patching an issue Tenable reported in the same Azure Synapse service.

“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” Yoran wrote in a post on LinkedIn. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”

Also in the critical and notable stack this month is CVE-2022-30136, which is a remote code execution flaw in the Windows Network File System (NFS version 4.1) that earned a CVSS score of 9.8 (10 being the worst). Microsoft issued a very similar patch last month for vulnerabilities in NFS versions 2 and 3.

“This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0,” wrote Trend Micro’s Zero Day Initiative. “It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.”

Beginning today, Microsoft will officially stop supporting most versions of its Internet Explorer Web browser, which was launched in August 1995. The IE desktop application will be disabled, and Windows users who wish to stick with a Microsoft browser are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the dirt on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

18 thoughts on “Microsoft Patch Tuesday, June 2022 Edition

  1. BaliRob

    MS proved on this occasion what many of us have said especially over the past three years and that it, Microsoft, has collectively no sense of responsibility for its poor standard of repair workmanship. They have acted like criminals
    changing their defence alibis trying to hide their embarassment when others, more proficient themselves, expose their misdemeanours.

    Btw – of course I am biased – what is it now – three years – since the consecutive August and September Updates crucified my pc? MS could not care fig for the costs incurred through their utter carelessness. I still do not have the courage to
    use an MS Update to this day.

  2. Jamison

    Did you mean Mosaic? “On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.”

    Imagine if Microsoft never duped the NCSA into a horrible deal. They licensed the code, for a percentage of their profit. MS gave it away for free. Costing themselves nothing. They robbed us.

  3. schorsch

    I will never understand, why any office product must be able to load arbitrary data from any arbitrary internet address.

    A most cordial invitation to any crook!

    This is a big flaw, not in MS-Office itself, but in the typical Microsoft-driven architecture of the typical office-network.

    Even if Microsoft tradionally propagates a free-for-all-crooks IT-environment, It is not a big thing to effectively prevent MS-Office from loading malignant code of any kind from the Internet, without impeding its obligatory functionality in any way.

    But obvously most companies preferably rely on snakeoil products like MS-Defender, IDS/IPS, Virus-scanners etc., instead of basically secured environments. Otherwise the ransomware industry could never have grown as big as it is today.

    1. Chris

      I don’t know why an Office program should load or execute any code. It should be user driven, WYSIWYG and need not even be network aware.

      1. Mahhn

        and just how are they going to maintain access to all your data then?
        yes you are 100% correct. Which is why they changed from Selling, to Leasing. It’s not ours, it’s theirs.
        Want to be really horrified, read the EULA to see what we gave have access to (goog’s is worse, and FB even worsererer…).

  4. The Sunshine State

    Easy Patch Tuesday this month !

    1. Phil

      My other thought! – ‘only three this time’

      1. an_n

        They save the best for last. Then they blow those 3-4 times.

  5. Phil

    I’ve always opted to disable any form of networked feature in any type of document software, wherever & whenever possible, on my own machines or any I run into – and the others because I don’t want such behavior in my social networks!

    And then I see things like this. But I still hear hipster excuses for all the wonderful feature creeps I’m missing out on…

  6. Usemodeapt

    But windows 7 June update need mandatory incorporated the ie 11 browser because this is the engine tool for activation license and other resources. Follina and dogwalk appears be fixed.

  7. Martin Graver

    Are the DC issues from May’s issues resolved in this rollup?

  8. William Kemmler

    “On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.”

    Yeah, right. I’ll believe that when it actually happens. Predicting they’ll simply remove any/all remaining user interface to IE and point everything to MSEdge but will leave the Trident rendering engine (MSHTML) buried deeply in the bowels of the operating system for some unknown reason to cause havoc in the future.

Comments are closed.