Headline
Microsoft Patches 'Follina' Zero-Day Flaw in Monthly Security Update
Here are which Microsoft patches to prioritize among the June Patch Tuesday batch.
Microsoft today issued a patch for the recently disclosed and widely exploited “Follina” zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) as part of its scheduled security update for June.
The patch is among the more significant of the 60 security updates that the company released in total today to address vulnerabilities across its product portfolio. Microsoft assessed three of the bugs as being of critical severity: CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS); CVE-2022-30163, an RCE in Windows Hyper-V; and CVE-2022-30139, a remote code execution flaw in the Windows Lightweight Access Protocol.
Microsoft assessed most of the other vulnerabilities — including many remote code execution bugs — as “important.”
Affected products included Windows, Office, Edge, Visual Studio, Windows Defender, SharePoint Server, and the Windows Lightweight Directory Access Protocol.
Fix for Follina Flaw
Security experts identified the patch for the Follina vulnerability (CVE-2022-30190) as a priority due to how actively the bug is being exploited in the wild. The MSDT bug — disclosed on May 30 — basically gives attackers a trivially easy way to execute code remotely via Office documents, even when macros are disabled. Microsoft has warned of the vulnerability allowing attackers to view or delete data, install programs, and create new accounts on compromised systems. Cyberattacks exploiting the flaw were reported at least one month prior to Microsoft’s May 30 announcement and have since then grown, fueled by the public availability of exploit code.
Andy Gill, senior security consultant at Lares Consulting, says Microsoft’s new patch for Follina prevents code injection. However, exploit code will still launch msdt.exe, he says. “Therefore, while the main risk of code execution is mitigated the software is still launched,” he says.
Johannes Ullrich, dean of research at the SANS Institute, says it’s a good idea therefore for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. "Users applying the monthly rollup will be protected but need to realize that the patch fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document.
“Follina has been actively exploited for a couple weeks now,” Ullrich says. "[Microsoft’s] workaround, will prevent msdt.exe from launching [and] should probably stay in place if it doesn’t cause any problems."
Three Critical Flaws to Patch Now
In a blog post, Dustin Childs, communications manager at Trend Micro’s Zero Day Initiative, described the critical CVE-2022-30136 vulnerability as “eerily similar” to an NFS bug that Microsoft patched last month (CVE-2022-26937) that allows attackers to execute privileged code on vulnerable systems. Attackers can exploit the flaw by sending specially crafted RPC calls to a vulnerable server, according to ZDI. The only apparent difference in the patches is that this month’s update fixes the bug in NFS V4.1, while last month’s update pertained to two older NFS versions, he said.
“It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix,” Childs said.
Ullrich says this marks the third month in a row where Microsoft has issued an update to address a critical security vulnerability in NFS. “But the component is not enabled by default and so far, we do not see any exploits for these vulnerabilities,” he says.
The remote code execution vulnerability in Windows Hyper-V (CVE-2022-30163) is another patch to apply ASAP, security researchers said. Kevin Breen, director of cyber threat research at Immersive, identified it as a vulnerability that is likely going to be of high value to attackers if a method for easily exploiting it is discovered. The flaw basically gives attackers a way to move from a guest virtual machine to the host in order to access all running VM machines on that system. However, exploiting the flaw — at least presently — is complex and requires the attacker to win an unspecific race condition, Breen said in emailed comments.
Meanwhile, the third critical flaw (CVE-2022-30139) is one of seven LDAP flaws that Microsoft patched this month. Though the flaw is difficult to exploit, it is one in a growing number of security issues uncovered in the directory technology. In May, for instance, Microsoft issued patches for 10 LDAP flaws, Childs said. The volume of LDAP bugs in recent months makes LDAP an attractive attack target for threat actors, he noted.
Childs also cited CVE-2022-30148, an information disclosure vulnerability in the Windows Desired State Configuration feature. The flaw is important because attackers could use it to — among other things — recover usernames and plaintext passwords from log file. “Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, they are likely some sought-after username/password combos that could be recovered,” Childs wrote. The bug also facilitates lateral movement so organization using DSC need to implement Microsoft’s fix for it, he said.
‘Dig a Bit Deeper’
ZDI’s analysis shows that more than half the vulnerabilities that Microsoft disclosed today are remote code execution issues. Twelve updates address elevation of privilege bugs, several of which require attackers to already have access on a system and run specially crafted code.
Breen, meanwhile, identified several other vulnerabilities organizations should address. These include two remote execution flaws in Microsoft SharePoint Server (CVE-2022-30157 and CVE-2022-30158) that enable data theft, replace documents with malicious ones, and carry out other malicious activities. Also important in the June roundup is CVE-2022-30147, a local privilege escalation flaw in Windows Installer, which Microsoft has assigned a severity rating of 7.8. That rating belies the danger these kinds of flaws present because threat actors almost always use them in attacks, Breen said.
Chris Goettl, senior director of product management at Ivanti, advises organizations to pay attention to CVE-2022-26925, a spoofing vulnerability in the Windows LSA function for enforcing security policies. The vulnerability gives attackers a way to authenticate to domain controllers and impacts all Windows servers. Microsoft has recommended that organizations prioritize domain controllers when applying the security update.
The vulnerability has been publicly disclosed and vulnerabilities for it have been detected in the wild, Goettl says.
“The vulnerability by itself is only rated as Important by Microsoft, and the exploit code maturity is listed as unproven,” Goettl says. “But dig a bit deeper and the vulnerability is much more threatening. The vulnerability has been detected in attacks, so while code samples available publicly may be unproven, there are working exploits being used.”
Goettl also recommends that organizations review Microsoft’s FAQ for the scheduled retirement of Internet Explorer 11 desktop app on June 15, right after Patch Tuesday.
The FAQ answers many questions on what organizations can expect when the IE11 application will be disabled, and how that affects different versions of Windows including the LTSC enterprise edition of Windows, It also offers details on configuring IE mode in the Microsoft Edge browser to support legacy applications that require IE11, and more, Goettl says.
Related news
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
By Waqas LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data. This is a post from HackRead.com Read the original post: New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs
Whitepaper called Bughunter's Life-Style: A DIY guide to become an alone long time bughunter for ordinary people. Written in Spanish.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild. Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues
The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities. The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.
Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239094 On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 […]
The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.
Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine. The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half. But after spending a few days on the show floor and interacting with everyone, there are a... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161.
Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30157.
Windows Hyper-V Remote Code Execution Vulnerability.
Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30158.
Windows Network File System Remote Code Execution Vulnerability.
Windows Installer Elevation of Privilege Vulnerability.
Windows Desired State Configuration (DSC) Information Disclosure Vulnerability.
Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now! Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.
Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now! Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.
Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now! Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.
Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now! Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.
Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.
Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser. <!-
Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser. <!-
Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser. <!-
By Chetan Raghuprasad. Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate." The most... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Chetan Raghuprasad. Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate." The most... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Chetan Raghuprasad. Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered "moderate." The most... [[ This is only the beginning! Please visit the blog for the complete entry ]]
This Metasploit module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code.
A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.
A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages
Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now. The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.
A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]
An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in
"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.
On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the … Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More »
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch […]
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch […]
By Waqas The latest edition of Patch Tuesday offers fixes for 7 critical flaws, including 5 RCE (remote code execution)… This is a post from HackRead.com Read the original post: Microsoft Patch Tuesday: Fixes for 0-Day and 74 Other Flaws Released
By Waqas The latest edition of Patch Tuesday offers fixes for 7 critical flaws, including 5 RCE (remote code execution)… This is a post from HackRead.com Read the original post: Microsoft Patch Tuesday: Fixes for 0-Day and 74 Other Flaws Released
May's Patch Tuesday includes one actively exploited zero-day vulnerability and some other interesting ones. The post Update now! Microsoft releases patches, including one for actively exploited zero-day appeared first on Malwarebytes Labs.
May's Patch Tuesday includes one actively exploited zero-day vulnerability and some other interesting ones. The post Update now! Microsoft releases patches, including one for actively exploited zero-day appeared first on Malwarebytes Labs.
Microsoft's May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.
Microsoft's May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.
Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild. Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release. These encompass 24 remote code execution (RCE), 21 elevation of
Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild. Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release. These encompass 24 remote code execution (RCE), 21 elevation of
Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month's patch batch includes fixes for seven "critical" flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.
Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month's patch batch includes fixes for seven "critical" flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.
Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.
Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.
Windows Network File System Remote Code Execution Vulnerability.
By Jon Munshaw, with contributions from Jaeson Schultz. Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]