Microsoft Patch Tuesday, June 2022 Edition – Cancer on Security


Microsoft The software updates released on Tuesday are intended to fix 60 security vulnerabilities in it window Operating systems and other software, including a zero-day bug in all supported ones MicrosoftOffice Versions on all Windows variants that have been actively exploited for at least two months. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser turning 27 this year.

Three of the bugs fixed this month received the dirtiest “critical” label from Microsoft, meaning they can be remotely exploited by malware or rogues to take complete control of a vulnerable system. At the top of the critical heap is this month CVE-2022-30190a weakness in the Microsoft Support Diagnostic Tool (MSDT), a Windows built-in service.

dubbed “Folline‘ the bug became public knowledge on May 27, as a security researcher tweeted about a malicious Word Document that had surprisingly low detection rates from antivirus products. Researchers soon found that the malicious document used a function in Word to retrieve an HTML file from a remote server, and that HTML file in turn used MSDT to load code and run PowerShell commands.

“What makes this new vulnerability in MS Word unique is that this attack does not exploit macros,” he writes Mayuresh DaniThreat Research Manager quality. “Most malicious Word documents use the software’s macro functionality to deliver their malicious payload. As a result, normal macro-based scanning methods do not work to detect Follina. All an attacker needs to do is trick a targeted user into downloading a Microsoft document or viewing an HTML file with the malicious code embedded.”

Kevin Beaumontthe researcher who gave Follina its name penned quite a scathing account and timeline Microsoft’s response to the vulnerability notification. Beaumont says that in March 2021, researchers told Microsoft that they were able to achieve the same exploit using Microsoft Teams as an example, and that Microsoft quietly fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.

Beaumont said other researchers notified Microsoft of active exploitation of the MSDT flaw on April 12, 2022, but Microsoft closed the ticket on the grounds that it was not a security issue. Microsoft finally released a CVE for the issue on May 30th, the same day published recommendations how to mitigate the threat from the vulnerability.

Microsoft is also being criticized by security experts for another set of flaws in its Azure cloud hosting platform. Orca Safety said, that again on January 4th it informed Microsoft of a critical error in Azure synapse Service that allowed attackers to obtain credentials for other workspaces, run code, or pass customer credentials to data sources outside of Azure.

in the an update According to their research published Tuesday, Orca researchers said they were able to bypass Microsoft’s fix for the problem twice before the company rolled out a working fix.

“In previous instances, vulnerabilities have been remediated by cloud providers within days of our notification to the affected provider,” Orca’s wrote Avi Shua. “Based on our understanding of the architecture of the service and our repeated workarounds of fixes, we believe the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise all customers to review their use of the service and not store any sensitive data or keys on it.”

Amit YoranCEO of Durable and a former US cybersecurity czar, took Microsoft to task for quietly patching an issue reported by Tenable in the same Azure Synapse service.

“It was only after we were told we would be going public that their story changed… 89 days after the initial notification of the vulnerability… when they privately acknowledged the seriousness of the security issue,” Yoran wrote a post on LinkedIn. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were or are vulnerable to an attack…or if they were attacked before a vulnerability was patched. And not notifying customers deprives them of the opportunity to search for evidence that they may or may not have been compromised, a grossly irresponsible policy.”

Also in the Critical and Notable Stack this month CVE-2022-30136which is a remote code execution error in the Windows network file system (NFS version 4.1), which scored a CVSS of 9.8 (with 10 being the worst). Microsoft released a very similar patch for vulnerabilities in NFS versions 2 and 3 last month.

“This vulnerability could allow a remote attacker to run privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, while last month’s bug only affected versions NSFV2.0 and NSFV3.0,” he wrote Trend Micro’s Zero-Day Initiative. “It’s not clear if this is a variant or a failed patch or an entirely new issue. Regardless, organizations running NFS should prioritize testing and deploying this fix.”

Effective today, Microsoft is officially ending support for most versions of its Internet Explorer web browser, introduced in August 1995. The IE desktop application will be disabled and Windows users who want to stick with a Microsoft browser are advised to switch to Microsoft Edge with IE mode supported until at least 2029.

For a closer look at the patches released by Microsoft today, indexed by severity and other metrics, see always useful patch tuesday summary of the SANS Internet Storm Center. And it’s not a bad idea to delay the update for a few days until Microsoft works out any bugs in the updates: Usually, the smut has some kind of patches that can cause problems for Windows users.

As always, remember to back up your system or at least your important documents and data before applying any system updates. And if you encounter any issues with these updates, please leave a note here in the comments.

Source link

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.