Microsoft Patch Tuesday, June 2022 Edition

Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that’s seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.

Three of the bugs tackled this month earned Microsoft’s most dire “critical” label, meaning they can be exploited remotely by malware or miscreants to seize complete control over a vulnerable system. On top of the critical heap this month is CVE-2022-30190, a vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows.

Dubbed “Follina,” the flaw became public knowledge on May 27, when a security researcher tweeted about a malicious Word document that had surprisingly low detection rates by antivirus products. Researchers soon learned that the malicious document was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.

“What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack,” writes Mayuresh Dani, manager of threat research at Qualys. “Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.”

Kevin Beaumont, the researcher who gave Follina its name, penned a fairly damning account and timeline of Microsoft’s response to being alerted about the weakness. Beaumont says researchers in March 2021 told Microsoft they were able achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.

Beaumont said other researchers on April 12, 2022 told Microsoft about active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it wasn’t a security issue. Microsoft finally issued a CVE for the problem on May 30, the same day it released recommendations on how to mitigate the threat from the vulnerability.

Microsoft also is taking flak from security experts regarding a different set of flaws in its Azure cloud hosting platform. Orca Security said that back on January 4 it told Microsoft about a critical bug in Azure’s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure.

In an update to their research published Tuesday, Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.

“In previous cases, vulnerabilities were fixed by the cloud providers within a few days of our disclosure to the affected vendor,” wrote Orca’s Avi Shua. “Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”

Amit Yoran, CEO of Tenable and a former U.S. cybersecurity czar, took Microsoft to task for silently patching an issue Tenable reported in the same Azure Synapse service.

“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” Yoran wrote in a post on LinkedIn. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”

Also in the critical and notable stack this month is CVE-2022-30136, which is a remote code execution flaw in the Windows Network File System (NFS version 4.1) that earned a CVSS score of 9.8 (10 being the worst). Microsoft issued a very similar patch last month for vulnerabilities in NFS versions 2 and 3.

“This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0,” wrote Trend Micro’s Zero Day Initiative. “It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.”

Beginning today, Microsoft will officially stop supporting most versions of its Internet Explorer Web browser, which was launched in August 1995. The IE desktop application will be disabled, and Windows users who wish to stick with a Microsoft browser are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the dirt on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, May 2022 Edition

Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month’s patch batch includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

By all accounts, the most urgent bug Microsoft addressed this month is CVE-2022-26925, a weakness in a central component of Windows security (the “Local Security Authority” process within Windows). CVE-2022-26925 was publicly disclosed prior to today, and Microsoft says it is now actively being exploited in the wild. The flaw affects Windows 7 through 10 and Windows Server 2008 through 2022.

Greg Wiseman, product manager for Rapid7, said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10 being the worst), although Microsoft notes that the CVSS score can be as high as 9.8 in certain situations.

“This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said. “This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution. This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.”

Wiseman said the most recent time Microsoft patched a similar vulnerability — last August in CVE-2021-36942 — it was also being exploited in the wild under the name “PetitPotam.”

“CVE-2021-36942 was so bad it made CISA’s catalog of Known Exploited Vulnerabilities,” Wiseman said.

Seven of the flaws fixed today earned Microsoft’s most-dire “critical” label, which it assigns to vulnerabilities that can be exploited by malware or miscreants to remotely compromise a vulnerable Windows system without any help from the user.

Among those is CVE-2022-26937, which carries a CVSS score of 9.8, and affects services using the Windows Network File System (NFS). Trend Micro’s Zero Day Initiative notes that this bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems.

“NFS isn’t on by default, but it’s prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix,” ZDI’s Dustin Childs wrote. “If this describes your environment, you should definitely test and deploy this patch quickly.”

Once again, this month’s Patch Tuesday is sponsored by Windows Print Spooler, a core Windows service that keeps spooling out the security hits. May’s patches include four fixes for Print Spooler, including two information disclosure and two elevation of privilege flaws.

“All of the flaws are rated as important, and two of the three are considered more likely to be exploited,” said Satnam Narang, staff research engineer at Tenable. “Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation of Privilege flaws in particular should be carefully prioritized, as we’ve seen ransomware groups like Conti favor them as part of its playbook.”

Other Windows components that received patches this month include .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office, Windows Hyper-V, Windows Authentication Methods, BitLocker, Remote Desktop Client, and Windows Point-to-Point Tunneling Protocol.

Also today, Adobe issued five security bulletins to address at least 18 flaws in Adobe CloudFusion, Framemaker, InCopy, InDesign, and Adobe Character Animator. Adobe said it is not aware of any exploits in the wild for any of the issues addressed in today’s updates.

For a more granular look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the skinny on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.