icetray - Fotolia

Microsoft fixes Follina zero-day for June Patch Tuesday

A Microsoft Support Diagnostic Tool flaw disclosed on May 30 and exploited in the wild gets resolved in this month's batch of security updates.

For June Patch Tuesday, Microsoft extinguished a lingering zero-day, code-named Follina, in one of its diagnostic tools that had been actively exploited in the wild.

Microsoft resolved 61 unique vulnerabilities, three rated critical, this month. The CVE total comprises updates for six older vulnerabilities, including the zero-day in the Microsoft Support Diagnostic Tool (MSDT) and the next step in a multi-stage remediation for a Windows Distributed Component Object Model (DCOM) vulnerability. In addition to fixes for Microsoft's software products, June Patch Tuesday addressed four vulnerabilities in systems that use certain Intel processors.

Microsoft Support Diagnostic Tool zero-day resolved

Microsoft disclosed news of the Microsoft Support Diagnostic Tool (MSDT) vulnerability (CVE-2022-30190) on May 30. As part of its diagnostic functionality, MSDT can upload troubleshooting data to Microsoft's support team. Attackers found a way to exploit this transfer feature and use PowerShell to download malicious code from a remote server.

"What was particularly nasty about this vulnerability is that preview mode in Outlook and other applications will launch the vulnerability," said Todd Schell, senior product manager at Ivanti, an IT asset and endpoint management company. "If you just rolled over the document in Outlook and opened it in the preview, that would launch the attack and go out and grab the malicious code."

Initially dubbed a Microsoft Office vulnerability because the code was found in a Microsoft Word document, the CVE notes indicated any "calling application" can use the URL protocol in MSDT to exploit the vulnerability. An attacker could then perform a range of actions, including install programs, delete data or create a new account in the context of the affected user.

Security researcher Kevin Beaumont dubbed the flaw Follina, in honor of an Italian village with the area code 0438, a number he found in the malware code in a Word document that had been discovered by another security researcher who goes by nao_sec on Twitter. 

A Microsoft Security Response Center blog guided customers on how to switch off the MSDT URL protocol before the official fix arrived on the June Patch Tuesday.

Microsoft releases security updates for Intel CPU vulnerabilities

Also on June Patch Tuesday, Microsoft issued an advisory and four corrections for Intel systems affected by memory-mapped I/O (MMIO) vulnerabilities that are also known as processor MMIO "stale data" vulnerabilities.

Microsoft's advisory said attackers who successfully exploit the vulnerabilities could access privileged data in both cloud-based and on-premises scenarios. In the former setting, a malicious VM could gather information from another VM. For on-premises environments, the attacker would either need system access or use an application on the target system to take advantage of the flaws.

The four information disclosure vulnerabilities (CVE-2022-21123, CVE-2022-21125, CVE-2022-21127 and CVE-2022-21166) are rated important. Microsoft's security updates do not solve the issue but enable affected Windows systems to apply a firmware update from OEMs when they become available.

"In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services," the company wrote.

Intel's advisory labeled INTEL-SA-00615 listed the affected products with more details on the vulnerabilities.

Administrators will also want to stay on top of news related to a new side-channel attack dubbed Hertzbleed that affects all Intel CPUs (CVE-2022-24436) and some AMD processors (CVE-2022-23823). Both CPU manufacturers issued advisories that indicated a "medium" severity level for vulnerable systems and how a successful attack could lead to information disclosure.

Microsoft shores up DCOM servers

Microsoft initiated the next stage of its hardening process to the DCOM functionality in Windows with an update to CVE-2021-26414. In the first phase executed in June 2021, Microsoft applied the DCOM reinforcements to Windows clients.

This month, Microsoft distributed the update that hardens DCOM servers by default. Administrators who encounter problems can undo the change via a registry key adjustment, but the next phase will not offer this option. This could be a problem for organizations with legacy applications that have not fully tested these changes and have not contacted their vendors for guidance.

"In March of 2023, you'll no longer be able to disable this setting, so it will come enabled and you're stuck with it," Schell said.

Other security updates of note for June Patch Tuesday include:

  • A fix for a Windows Network File System (NFS) remote-code execution vulnerability (CVE-2022-30136) rated critical that affects most supported Windows Server systems. The flaw has the highest CVSS rating at 9.8 out of 10 of all the bugs this month and has a designation of "exploitation more likely" from Microsoft. Attackers on the network do not require privileges to exploit this flaw by making a specially constructed call to the NFS service.
  • Seven security updates that prevent remote-code execution vulnerabilities in the Windows Lightweight Directory Access Protocol (LDAP) used in Microsoft's client-server directory service model. Six vulnerabilities (CVE-2022-30161, CVE-2022-30153, CVE-2022-30149, CVE-2022-30146, CVE-2022-30143 and CVE-2022-30141) are rated important, while CVE-2022-30139 is rated critical.

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop