Patch Tuesday: Microsoft Issues Fix for Actively Exploited ‘Follina’ Vulnerability

0
2059

Microsoft finally released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates.

Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five more shortcomings were resolved in the Microsoft Edge browser.

Tracked as CVE-2022-30190 (CVSS score: 7.8), the zero-day bug relates to a remote code execution vulnerability affecting the Windows Support Diagnostic Tool (MSDT) when it’s invoked using the “ms-msdt:” URI protocol scheme from an application such as Word.

The vulnerability can be trivially exploited by means of a specially crafted Word document that downloads and loads a malicious HTML file through Word’s remote template feature. The HTML file ultimately permits the attacker to load and execute PowerShell code within Windows.

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” Microsoft said in an advisory. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

A crucial aspect of Follina is that exploiting the flaw does not require the use of macros, thereby obviating the need for an adversary to trick victims into enabling macros to trigger the attack.

Since details of the issue surfaced late last month, it has been subjected to widespread exploitation by different threat actors to drop a variety of payloads such as AsyncRAT, QBot, and other information stealers. Evidence indicates that Follina has been abused in the wild since at least April 12, 2022.

Besides CVE-2022-30190, the cumulative security update also resolves several remote code execution flaws in Windows Network File System (CVE-2022-30136), Windows Hyper-V (CVE-2022-30163), Windows Lightweight Directory Access Protocol, Microsoft Office, HEVC Video Extensions, and Azure RTOS GUIX Studio.

Another security shortcoming of note is CVE-2022-30147 (CVSS score: 7.8), an elevation of privilege vulnerability affecting Windows Installer and which has been marked with an “Exploitation More Likely” assessment by Microsoft.

“Once an attacker has gained initial access, they can elevate that initial level of access up to that of an administrator, where they can disable security tools,” Kev Breen, director of cyber threat research at Immersive Labs, said in a statement. “In the case of ransomware attack, this leverages access to more sensitive data before encrypting the files.”

The latest round of patches is also notable for not featuring any updates to the Print Spooler component for the first time since January 2022. They also arrive as Microsoft said it’s officially retiring support for Internet Explorer 11 starting June 15, 2022, on Windows 10 Semi-Annual Channels and Windows 10 IoT Semi-Annual Channels.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —