Windows Updates Patch Actively Exploited ‘Follina’ Vulnerability

Microsoft has fixed roughly 50 vulnerabilities with its June 2022 Patch Tuesday updates, including the actively exploited flaw known as Follina and CVE-2022-30190.

The Follina vulnerability can and has been exploited for remote code execution using specially crafted documents. The root cause of the vulnerability has been known for at least a couple of years, but Microsoft appears to have largely ignored the issue until a researcher saw it being exploited in May.

The first attacks leveraging Follina seem to have been launched in April, but exploitation attempts have increased following its disclosure. 

A Chinese threat actor has been using it in attacks aimed at the Tibetan community and cybercriminals have been leveraging it to deliver Qbot, AsyncRAT and other malware.

While an official patch has only now been released, Microsoft made available workarounds and mitigations shortly after its disclosure.

The security hole is related to the Microsoft Support Diagnostic Tool (MSDT) and it impacts Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. Researchers have confirmed that exploitation works against most versions of Office.

“The update for this vulnerability is in the June 2022 cumulative Windows Updates. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action,” Microsoft said in its advisory.

Microsoft’s latest Patch Tuesday updates address vulnerabilities in Windows, Office, Azure, Endpoint Configuration Manager, Visual Studio, SQL Server, and Microsoft Photos. The addressed security holes can be exploited for remote code execution, privilege escalation, information disclosure and DoS attacks.

Three advisories have a “critical” severity rating: CVE-2022-30136 (Windows NFS remote code execution), CVE-2022-30163 (Windows Hyper-V remote code execution), and CVE-2022-30139 (Windows LDAP remote code execution).

No vulnerabilities were publicly disclosed before patches were made available. In addition, a vast majority of the advisories have an “exploitation less likely” or “exploitation unlikely” exploitability rating. Only a few Windows flaws have an “exploitation more likely” rating: CVE-2022-30160, CVE-2022-30136 and CVE-2022-30147.

Microsoft has also informed users about several local information disclosure vulnerabilities patched by Intel in its processors. The flaws, rated “medium severity,” require firmware updates and a corresponding Windows update that enables a mitigation.

Trend Micro’s Zero Day Initiative (ZDI) has released a high-level analysis of this month’s patches.

It’s also worth noting that support for Internet Explorer 11 will end tomorrow, on June 15, 2022. Users have been advised to switch to the Edge web browser.

Adobe’s Patch Tuesday updates address 46 vulnerabilities affecting the software giant’s Animate, Bridge, Illustrator, InCopy, RoboHelp and InDesign products.

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA