Microsoft Fixes Follina and 55 Other Vulnerabilities in June Patch Tuesday Update Cycle


Microsoft has addressed 55 vulnerabilities in its latest Patch Tuesday update cycle, June being the second consecutive month wherein the patch load was below the 100 mark. Redmond also cautioned users about the BlackCat ransomware gang targeting unpatched Exchange servers.

Microsoft’s June patch load also addresses the recently discovered Follina vulnerability (CVE-2022-30190) residing in the popular Windows troubleshooting tool Microsoft Support Diagnostic Tool (MSDT), apart from the 55 others. Follina is a severe vulnerability that can allow threat actors to remotely execute arbitrary code and take over systems using infected Word files.

Of all vulnerabilities fixed on June Patch Tuesday, Follina was the only one under active exploitation through a publicly available exploit. However, three of the remaining 55 flaws were rated critical in severity, so while the number of vulnerability patches has decreased compared to recent months, it is prudent to patch up as soon as possible.

“This month’s Patch Tuesday offers some much-needed respite for IT teams. However, there are still a few critical vulnerabilities for administrators to focus on to reduce the risk of a breach at their organization – including a particularly nasty remote code execution vulnerability in Windows Network File System (NFS),” opinedOpens a new window Automox.

Of the rest, 51 were rated important, while one was rated moderate in severity. “It’s also interesting to note what is not included in today’s release. This is the first month in recent memory without an update for the Print Spooler,” noted Dustin Childs of Trend Micro’s Zero Day Initiative.

Print Spooler is a Windows OS service that lets users print documents over locally networked printers. It has previously been associated with PrintNightmare, Evil PrinterOpens a new window , PrintDemonOpens a new window , FaxHellOpens a new window , and other security issues. “We’ll see if that trend continues or if this reprieve is only temporary,” Childs added.

See More: Microsoft Word Weaponized by Chinese Hackers to Exploit Zero-day Windows Flaw

Critical Vulnerability Fixes From June Patch Tuesday

All three critical vulnerabilities that featured in the June Patch Tuesday allow remote code execution. Of the three, CVE-2022-30136 has the highest CVSS score at 9.8. It exists in the Windows Network File System (NFS) file sharing protocol for Windows and Unix-based systems.

The May Patch Tuesday featured a similar vulnerability (CVE-2022-26937) in NFS. Last month, Redmond noted that NFSv2 or NFSv3 was exploitable through CVE-2022-26937 and that NFSv4.1 is not. This time, however, the patch for CVE-2022-30136 is for NFSv4.1.

CVE-2022-30163 (CVSS 8.5) and CVE-2022-30136 (CVSS 7.5), the remaining two critical vulnerabilities, reside in Windows Hyper-V and Windows Lightweight Directory Access Protocol (LDAP), respectively. The former is pretty complex to exploit, with an attacker needing to win an unidentified race condition. But once exploited, the threat actor could escape from a guest virtual machine to the host.

Meanwhile, CVE-2022-30147 (CVSS 7.8) isn’t as critical as the three described above, but Microsoft termed it as “exploitation more likely.”

June Patch Tuesday Vulnerability Types and Products Affected

Types of Vulnerabilities Fixed on June Patch Tuesday | Source: TenableOpens a new window

Product-wise, Windows LDAP featured the highest number of vulnerability fixes.

Product-Wise Number of Vulnerabilities | Source: Rapid7Opens a new window

Considering the June Patch Tuesday has the lowest number of vulnerabilities since February, a pattern similar to 2021, Automox said administrators “should be taking advantage of a relatively light month to prepare for what could be a heavy July.”

What Wasn’t Included in June Patch Tuesday

A noteworthy omission from June Patch Tuesday are fixes for two RCE vulnerabilities in Microsoft’s Azure Synapse Analytics. Disclosed by Tenable in March 2022, Microsoft has already rolled out fixes starting in late April. No action is required from users of the platform, used for machine learning, big data analytics, data integration and warehousing.

Tenable wrote in a blog postOpens a new window , “These flaws allow a user to escalate privileges to that of the root user within the underlying Apache Spark virtual machines, or to poison the hosts file of all nodes in an Apache Spark pool.” It could further allow lateral movement which could lead to the compromise of other Microsoft-owned infrastructure.

What’s disconcerting is that Microsoft initially refused to treat it as a security issue. “During the final days of the disclosure process, Microsoft Security Response Center (MSRC) began attempting to downplay the severity of the privilege escalation issue and classified it as a ‘best practice recommendation,’ rather than a security issue,” Tenable addedOpens a new window .

“Despite clear evidence to the contrary, MSRC declined a bounty or acknowledgement for this finding. After being notified of our intent to publish information about the vulnerabilities, Microsoft representatives reversed the prior decision, classifying these issues as security-related, demonstrating a clear lack of communication among the teams involved within Microsoft.”

The Windows-maker also waited until now to fix Follina, a critical security issue that was discovered late in May.

See More: Hive Ransomware Gang Targeting Unpatched Microsoft Exchange Servers for a Payday

BlackCat is Targeting Vulnerable Exchange Servers

Microsoft June Patch Tuesday coincides with an advisory the tech giant released, warning organizations about the BlackCat ransomware gang attacking organizations through unpatched Exchange Servers.

Affiliates of the ransomware syndicate, particularly DEV-0237 (also known as FIN12) and DEV-0504 are actively trying to deploy the BlackCat ransomware through vulnerable instances of the mail and calendering server.

BlackCat, which operates a ransomware-as-a-service model, is the latest ransomware strain being used by DEV-0237 who previously targeted organizations using Conti, Hive, and Ryuk ransomware strains.

On the other hand, DEV-0504’s use of the BlackCat ransomware comes after black hat operations using REvil, LockBit 2.0, Conti, BlackMatter, and Ryuk.

Also known as ALPHV, BlackCat has caught the attention of the FBI, which in April released an advisoryOpens a new window stating the ransomware gang has targeted at least 60 organizations globally since March 2022.

Microsoft warned that attack vectors used by BlackCat may not necessarily be the same. “While their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack,” the company said.

“Therefore, the pre-ransom steps of these attacks can also be markedly different.” As such, te company didn’t spell out exactly which vulnerabilities were being exploited by BlackCat. In one attack instance, the affiliates used credential, while in other cases, the BlackCat affiliates used these four Exchange ServerOpens a new window vulnerabilities. Microsoft clarified that the most common entry vectors are remote desktop applications and compromised credentials.

BlackCat also featured at #2 in Cyber Security Works and Ivanti’s list of ransomware gangs which exploited the most vulnerabilities in Q1 2022. For technical details and mitigation, refer Microsoft’sOpens a new window or Cisco’s detailed postOpens a new window about the ransomware gang.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!