Security News > 2022 > June > Microsoft fixes under-attack Windows zero-day Follina
Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.
Criminals and snoops can abuse the remote code execution bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware.
"The update for this vulnerability is in the June 2022 cumulative Windows Updates," Redmond said in today's Follina security update.
In addition to mitigating Follina, Microsoft plugged three critical RCE flaws and said none of them have been exploited.
"This could adversely affect your ecosystem and should only be used as a temporary mitigation," it cautioned, adding a bolded warning: "You should NOT apply this mitigation unless you have installed the May 2022 Windows security updates." These fix CVE-2022-26937, another critical vuln in NFS. The next critical RCE, CVE-2022-30163, is in the Windows Hyper-V hypervisor.
While CVE-2022-30147, a Windows Installer elevation of privilege vulnerability with a CVSS score of 7.8 doesn't rank as high, severity wise, as some of the others, "This kind of vulnerability is almost always seen during a cyber attack," Breen noted.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/06/15/microsoft_patch_tuesday/
Related news
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018 (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)
- Microsoft to start force-upgrading Windows 22H2 systems next month (source)
- Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws (source)
- Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- Patch Tuesday for September 2024: Microsoft Catches Four Zero-Day Vulnerabilities (source)
- Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-15 | CVE-2022-30163 | Race Condition vulnerability in Microsoft products Windows Hyper-V Remote Code Execution Vulnerability | 8.5 |
| 2022-06-15 | CVE-2022-30147 | Unspecified vulnerability in Microsoft products Windows Installer Elevation of Privilege Vulnerability | 7.8 |
| 2022-06-01 | CVE-2022-30190 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 7.8 |
| 2022-05-10 | CVE-2022-26937 | Unspecified vulnerability in Microsoft products Windows Network File System Remote Code Execution Vulnerability | 9.8 |