June 2022 Patch Tuesday: A Much Anticipated Fix For Follina Zero-day and DogWalk Concerns
By Lewis Pope
CVE-2022-30190 (aka Follina) made a scene at the end of May and put many network defenders into a scramble applying Microsoft’s recommended mitigations. Follina allows for remote code execution when the Microsoft Support Diagnostic Tool is called by a Microsoft Word document, with reports that the vulnerability can also affect other Windows components as well. While mitigation instructions were released by Microsoft on May 30, many have deferred addressing it until Microsoft released a fix and others may have never known about the vulnerability in the first place. That fix has now been delivered in June’s Patch Tuesday release of security fixes and should be a priority-one item for everyone.
Along with Follina, an old vulnerability known as DogWalk was also getting some attention at the end of May. First reported in 2020, DogWalk never received a CVE since Microsoft did not consider it a security risk at the time of it being reported. A third-party fix is available from the 0patch Blog that was released June 7, 2022, but, as there are not reported active attack campaigns leveraging DogWalk at this moment, it may be acceptable for some environments to wait for Microsoft to issue a fix if they view it as needing to be addressed.
Microsoft Vulnerabilities
The big vulnerability of the month is Follina, but it should be resolved by applying the cumulative updates for June or appropriate security-only updates. This should be one of if not the primary vulnerability to focus on this month. Because this involves an attack chain as simple as “receive email, click .doc attachment to preview” it’s trivial for attackers to abuse and there are already reports of use of the vulnerability in attacks by nation states and cybercrime groups. Blocking .doc files in your email filtering solution and applying the appropriate Microsoft updates should be an ASAP action item for your teams.
Microsoft Patch Tuesday Vulnerability Prioritization
There was a total of 55 vulnerabilities addressed in this Patch Tuesday. The lower number of total patches, combined with only three of those classified as Critical and three as Exploitation More Likely, should make the workload easier on teams as they focus on addressing Follina, which was the only zero-day addressed by Patch Tuesday updates.
Follina is also a great example of how you can use Microsoft’s severity rating to decide how important it is to apply fixes for certain vulnerabilities. The fix for Follina is only marked as Important despite it being a zero-day under active exploitation. This is why I always recommend that, if you are only going to prioritize based on severity, you treat Critical and Important updates the same.
Since this Patch Tuesday shouldn’t require as much time and effort to get through, consider taking the opportunity to perform some tabletop exercises. Go back over how patching has been handled over the past few months and find opportunities to make improvements.
It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as Exploitation More Likely are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as Exploitation More Likely, Exploitation Detected, or Critical.
|
CVE |
|
Description |
|
Exploitability |
Severity |
|
|
Windows Hyper-V RCE |
|
Exploitation Less Likely |
Critical |
|
|
|
Windows Lightweight Directory Access Protocol (LDAP) RCE |
|
Exploitation Less Likely |
Critical |
|
|
|
Windows Network File System RCE |
|
Exploitation More Likely |
Critical |
|
|
|
Microsoft Windows Support Diagnostic Tool (MSDT) RCE |
|
Exploitation Detected |
Important |
|
|
|
Windows Installer Elevation of Privilege |
|
Exploitation More Likely |
Important |
|
|
|
Windows Advanced Local Procedure Call Elevation of Privilege |
|
Exploitation More Likely |
Important |
Cumulative Updates
The cumulative updates for this month include the typical security and performance fixes rolled in from previous updates. KB5014697 marks the ninth regular cumulative update for Windows 11 and includes a servicing stack update (SSU). It also includes the new Windows Spotlight for Desktop feature that includes desktop background rotation, which might throw some users off, so messaging may need to be prepared for end-users on Windows 11.
KB5014699 for Windows 10 21H1, 21H2 and 20H2 was released with the usual rollup of previous fixes and an SSU. Since Windows 10 20H2 went end of service on May 10, 2022 for Home, Pro, Pro Education, and Pro Workstations. If you have any of those system builds still deployed to production updating them to newer builds should be your project list for this month.
KB5014692 includes improvements that were a part of KB5014022 and an SSU. There is additional guidance from Microsoft on actions to take prior to applying this update in environments with Domain Controllers and Network Policy Server (NPS) in place.
Known Complications of Note
As of writing there were no major complications being reported by the community at large.
Internet Explorer Is Dead, Long Live Internet Explorer
Microsoft announced the end of IE on Windows 10 last year in favor of Microsoft Edge with IE mode in a transition scheduled to happen June 15, 2022. This is sure to pose further challenges for client environments that still rely on line-of-business software that required the use of IE. If possible, take advantage of IE 11 being declared EoS and move clients away from legacy systems that still need IE to function.
Other Vendors
There were also some significant vulnerabilities disclosed this month for Atlassian and Google. Atlassian’s Confluence was affected by CVE-2022-26134 early in June, a zero-day vulnerability under active exploitation that provides attackers with access to Confluence servers and data center servers. This requires your immediate attention if you have not already applied the provided updates from Atlassian.
Google Chrome also received some significant fixes in the previous month including a fix for CVE-2022-1096 which is under active exploitation. Current guidance is to ensure Chrome has been updated to the stable channel 102.0.5005.115 release.
Summary
As always make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your patch management routines.
Looking for more information on Patch Management? Check out this section on our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC y N‑able Technologies Ltd. Todos los derechos reservados.
Este documento solo se proporciona con fines informativos. No debe utilizarse para obtener orientación legal. N‑able no ofrece ninguna garantía, implícita o explícita, ni asume ninguna responsabilidad legal o jurídica por la exactitud, integridad o utilidad de cualquier información contenida en este documento.
N-ABLE, N-CENTRAL y otras marcas comerciales y logotipos de N‑able son propiedad exclusiva de N‑able Solutions ULC y N‑able Technologies Ltd., y pueden ser marcas sujetas al derecho anglosajón, estar registradas o pendientes de registro en la Oficina de Patentes y Marcas de Estados Unidos o en otros países. El resto de marcas comerciales mencionadas en este documento solo se utilizan con fines de identificación y son marcas comerciales (o marcas comerciales registradas) de sus respectivas empresas.