Patch Tuesday: Microsoft Issues Fix for Actively Exploited ‘Follina’ Vulnerability

Microsoft officially released fixes to address an actively
exploited Windows zero-day vulnerability known as Follina as part
of its Patch Tuesday updates.

Also addressed by the tech giant are 55 other flaws^[1], three of which are
rated Critical, 51 are rated Important, and one is rated Moderate
in severity. Separately, five other shortcomings^[2]
were resolved in the Microsoft Edge browser.

Tracked as CVE-2022-30190^[3]
(CVSS score: 7.8), the zero-day bug^[4]
relates to a remote code execution vulnerability affecting the
Windows Support Diagnostic Tool (MSDT) when it’s invoked using the
“ms-msdt:” URI protocol scheme from an application such as
Word.

The vulnerability can be trivially exploited by means of a
specially crafted Word document that downloads and loads a
malicious HTML file through Word’s remote template feature. The
HTML file ultimately permits the attacker to load and execute
PowerShell code within Windows.

“An attacker who successfully exploits this vulnerability can
run arbitrary code with the privileges of the calling application,”
Microsoft said in an advisory. “The attacker can then install
programs, view, change, or delete data, or create new accounts in
the context allowed by the user’s rights.”

A crucial aspect of Follina is that exploiting the flaw does not
require the use of macros, thereby obviating the need for an
adversary to trick victims into enabling macros to trigger the
attack.

Since details of the issue surfaced late last month, it has been
subjected^[5]
to widespread^[6]
exploitation^[7]
by different threat actors to drop a variety of payloads such as
AsyncRAT, QBot, and other information stealers. Evidence indicates
that Follina has been abused in the wild since at least April 12,
2022.

Besides CVE-2022-30190, the cumulative security update also
resolves several remote code execution flaws in Windows Network
File System (CVE-2022-30136^[8]), Windows Hyper-V
(CVE-2022-30163^[9]), Windows Lightweight
Directory Access Protocol, Microsoft Office, HEVC Video Extensions,
and Azure RTOS GUIX Studio.

Another security shortcoming of note is CVE-2022-30147^[10] (CVSS score: 7.8), an
elevation of privilege vulnerability affecting Windows Installer
and which has been marked with an “Exploitation More Likely”
assessment by Microsoft.

“Once an attacker has gained initial access, they can elevate
that initial level of access up to that of an administrator, where
they can disable security tools,” Kev Breen, director of cyber
threat research at Immersive Labs, said in a statement. “In the
case of ransomware attack, this leverages access to more sensitive
data before encrypting the files.”

The latest round of patches is also notable for not featuring
any updates to the Print Spooler component for the first time since
January 2022. They also arrive as Microsoft said it’s officially
retiring support^[11] for Internet Explorer 11^[12] starting June 15, 2022,
on Windows 10 Semi-Annual Channels and Windows 10 IoT Semi-Annual
Channels.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been
released by other vendors since the start of the month to rectify
several vulnerabilities, including —