Microsoft June 2022 Patch Tuesday: 55 fixes, remote code execution in abundance
Microsoft has released 55 security fixes that resolve critical issues including Remote Code Execution (RCE).
The Redmond giant's latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for problems such as RCE vulnerabilities, information leaks, Elevation of Privilege (EoP), Use-After-Free issues, and out-of-bounds memory access.
Products impacted by June's security update include the Windows operating system, Microsoft Office, Hyper-V Server, Azure, and Windows Defender. In total, three vulnerabilities are critical, one is moderate, and the rest are considered important.
Many of the vulnerabilities patched this month relate to remote code execution, but Microsoft says that there are no reports of active exploitation in the wild with the exception of an update to CVE-2022-30190, a Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability made public in May.
Also: Everything Microsoft revealed at its 2022 Xbox & Bethesda Showcase
Some of the most severe vulnerabilities resolved in this update are:
- CVE-2022-30136: CVSS 9.8, Windows Network File System RCE vulnerability. Attackers need to make an unauthenticated, crafted call to a Network File System (NFS) service to trigger the bug.
- CVE-2022-30163: CVSS 8.5, A Windows Hyper-V RCE vulnerability exploitable through a specially crafted application on a Hyper-V guest session.
- CVE-2022-30139: CVSS 7.5, A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability but only if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.
- CVE-2022-30164: CVSS 8.4, Kerberos AppContainer security feature bypass. It was possible to circumvent the service ticketing feature which performs user access control checks.
- CVE-2022-30157: CVSS 8.8, Microsoft SharePoint Server RCE vulnerability. Attackers must be authenticated and have page creation permissions,
- CVE-2022-30165: CVSS 8.8, Windows Kerberos EoP security flaw. It was possible to spoof the Kerberos log on process when a remote credential guard connection was made via CredSSP.
As noted by the Zero Day Initiative (ZDI), this is the first patch release in a long time that has not featured updates for the Print Spooler.
Last month, Microsoft resolved 74 bugs in the May batch of security fixes. These included seven critical and one important flaw, with RCE, privilege escalation, information leaks, and spoofing making an appearance.
A month prior, the tech giant tackled two zero-day vulnerabilities during April's Patch Tuesday.
Earlier this month, Microsoft warned of the upcoming retirement of Internet Explorer. Support is ending for Internet Explorer 11 on June 15, impacting the Windows 10 client SKU (version 20H2 and later) and Windows 10 IoT (version 20H2 and later). IE Mode will be maintained in Microsoft Edge until at least 2029 to give developers time to modernize their IE applications.
Alongside Microsoft's Patch Tuesday round, other vendors, too, have published security updates which can be accessed below.
- Adobe security updates
- SAP security updates
- VMWare security advisories
- Intel security updates