Microsoft released software updates on Tuesday to fix 60 security vulnerabilities in its the Windows operating systems and other software, including a zero-day flaw in all supported systems Microsoft Office versions on all flavors of Windows that have been actively exploited for at least two months now. On a lighter note, Microsoft is officially withdrawing its Internet Explorer (IE) web browser, which turns 27 this year.
Three of the bugs addressed this month earned Microsoft’s most serious “critical” rating, meaning they can be remotely exploited by malware or bad guys to take full control of a vulnerable system. In addition to the critical heap this month is CVE-2022-30190, a vulnerability in the Microsoft Support Diagnostic Tool (MSDT), a service built into Windows.
Nicknamed “Follina“, the flaw became public on May 27, when a security researcher tweeted about a villain Word document that had surprisingly low detection rates by anti-virus products. Researchers quickly learned that the malicious document used a feature in Word to retrieve an HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.
“What makes this new MS Word vulnerability unique is the fact that no macros are exploited in this attack,” writes Mayuresh DaniHead of Threat Research at Qualys. “Most malicious Word documents exploit the software’s macro function to deliver their malicious payload. Therefore, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is trick a targeted user into downloading a Microsoft document or viewing an HTML file containing the malicious code.
Kevin Beaumont, the researcher after whom Follina is named, wrote a pretty damning account and timeline of Microsoft’s response after being alerted to the weakness. Beaumont says researchers in March 2021 told Microsoft they were able to achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not fix MSDT in Windows or the attack vector in Microsoft Office.
Beaumont said that on April 12, 2022, other researchers notified Microsoft of active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it was not a security issue. Microsoft eventually released a CVE for the issue on May 30, the same day it released recommendations on how to mitigate the threat of the vulnerability.
Microsoft is also going after security experts over a different set of flaws in its Azure cloud hosting platform. Orc Security said that on January 4, he notified Microsoft of a critical bug in Azure Synapse service that allowed attackers to obtain credentials for other workspaces, execute code, or leak client credentials to data sources outside of Azure.
In a research update released on Tuesday, Orca researchers said they were able to circumvent Microsoft’s fix for the problem twice before the company rolled out a working fix.
“In previous cases, vulnerabilities were patched by cloud providers within days of our disclosure to the affected provider,” Orca wrote. Avi Shua. “Based on our understanding of the service’s architecture and our repeated patch bypasses, we believe the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise all customers to evaluate their use of the service and refrain from storing sensitive data or keys on it.
Amit YoranCEO of Defensible and a former US cybersecurity czar, criticized Microsoft for silently fixing an issue reported by Tenable in the same Azure Synapse service.
“It wasn’t until they learned we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the seriousness of the security issue,” wrote Yoran in a LinkedIn post. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were or are vulnerable to attacks…or if they suffered attacks before a vulnerability was patched. And failing to inform customers denies them the ability to seek evidence that they have or have not been compromised, a totally irresponsible policy.
Also in the critical and notable pile this month is CVE-2022-30136, which is a remote code execution flaw in the Windows Network File System (NFS version 4.1) which achieved a CVSS score of 9.8 (10 being the worst). Microsoft released a very similar fix for the NFS version 2 and 3 vulnerabilities last month.
“This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. Seemingly the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, while last month’s bug only affected NSFV2.0 and NSFV3.0,” wrote Trend Micro Zero Day Initiative. “It is unclear whether this is a variant or a failing fix or a completely new issue. Regardless, companies running NFS should prioritize testing and deployment of this patch.
Effective today, Microsoft will officially stop supporting most versions of its Internet Explorer web browser, launched in August 1995. The IE desktop application will be disabled and Windows users who wish to retain a Microsoft browser are encouraged to upgrade to Microsoft Edge. with IE mode, which will be supported until at least 2029.
For a more in-depth look at the patches released by Microsoft today, and indexed by severity and other metrics, check out the always-helpful Patch Tuesday roundup of the Internet Storm Center WITHOUT. And it’s not a bad idea to delay the update for a few days until Microsoft fixes the issues in the updates: AskWoody.com usually has dirt on all the patches that can cause problems for the Windows users.
As always, consider backing up your system or at least your important documents and data before applying system updates. And if you have any issues with these updates, please leave a note about it here in the comments.