'Follina' Fix Issued in Microsoft's June Patch Tuesday
Microsoft on Tuesday released 55 patches for its monthly security update release.
The big-ticket item this month is bulletin CVE-2022-30190, a permanent fix to the "follina" vulnerability. Follina, a remote code execution flaw where MSDT is called using a malicious URL protocol from a calling application such as Word, was seen in the wild at the end of May.
Microsoft had initially released a workaround to block the harmful URLs from being accessed from programs like Word, as the vulnerability was being targeted in major phishing campaigns. Tuesday's update permanently plugs the hole and the workaround is no longer needed.
The good news is that the follina fix was the only actively exploited flaw in this month's smaller-than-usual patch list, and was just one of three bulletins rated "critical." However, that doesn't mean IT should deprioritize applying this month's security updates, according to Greg Wiseman, product manager at security firm Rapid7.
"None of the other CVEs being addressed this month have been previously disclosed or seen exploited yet," said Wiseman. "However, it won't be long before attackers start looking at CVE-2022-30136, a Critical Remote Code Execution (RCE) vulnerability affecting the Windows Network File System (NFS)."
If the NFS fix looks familiar, it's because Microsoft released an almost-identical fix (CVE-2022-26937) in May's security update. It's unclear whether this month's item addresses a similar flaw, or if it's a reissue of a broken patch. Weisman recommends patching it as soon as possible, even if it does feel like you've just done this about a month ago.
Finishing out the hat trick, the final critical item this month (CVE-2022-30139) also fixes a remote code execution flaw, this time in the Windows Lightweight Directory Access Protocol (LDAP). While the flaw, which affects all supported versions of Windows OS and Server, could cause malicious code to be executed on a targeted machine, exploitation is low, as an attacker would only be successful "if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value," according to Microsoft. Systems with the set default value are not affected.
In keeping with recent trends, the majority of the 55 fixes all resolve remote code execution flaws, accounting for 27 of the bulletins. Elevation-of-privilege fixes came in second with 12, and information discourse followed in third with 11 bulletins. What is interesting is what this month's patch update didn't involve, according to security expert Dustin Childs.
"This is the first month in recent memory without an update for the Print Spooler," said Childs in his Zero Day Initiative blog. "We'll see if that trend continues or if this reprieve is only temporary."
Details on the remaining bulletin items (51 rated "important" and one rated "moderate) can be found on the Microsoft Security Update Guide.