By Staff Writer.
This week saw Microsoft release its latest round of Patch Tuesday fixes that sees the software giant tackling 55 vulnerabilities, including the high-profile Windows MSDT ‘Follina’ zero-day vulnerability and the more recent Intel MMIO vulnerability.
Three of Patch Tuesday’s fixes were rated as critical, including CVE-2022-30163 Windows Hyper-V Remote Code Execution Vulnerability; the CV-2022-30139 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability; and the CV-2022-30136 Windows Network File System Remote Code Execution Vulnerability.
IT insiders expressed surprise the Follina vulnerability (CV-2022-30190) was categorised further down the scale as “important,” given it was the only vulnerability widely exploited and discussed.
The most recent Microsoft fixes also address scores of software flaws deemed important and moderate, including those dealing with information disclosure, remote code execution, security feature bypass, elevation of privilege, spoofing, and denial of service vulnerabilities.
“We’ve now reached the midway point of 2022. It’s been an up and down six months so far with a wide swing in the number of vulnerabilities Microsoft has been addressing each month,” said Todd Schell, Principal Product Manager at software company Ivanti.
“This month, we saw 33 vulnerabilities fixed in Windows 10 and its associated servers. The hot discussion topic this past month was CVE-2022-30190, also known as the Follina vulnerability, which was fixed today with updates from Windows 7 through Windows 11. The second phase of the DCOM server security update was also implemented this month.”
Schell says of the three critical vulnerabilities, CVE-2022-30136 was the most important. This was a network file system remote code execution vulnerability with a CVSS score of 9.8 that impacted Windows Server 2012, Server 2016, and Server 2019 and was relatively easy to exploit. In addition to the Patch Tuesday fix, Microsoft also released detailed mitigation options for the vulnerability.
Ivanti’s Principal Product Manager says the greater degree of difficulty involved in exploiting the two other critical vulnerabilities, CV-2022-30163 and CV-2022-30139, saw them handed a lower CVSS score, but Todd Schell also says all three vulnerabilities should be given priority depending upon the level of risk they pose to an organisations network.
June’s Patch Tuesday’s fixes tackle fixes across 25 Microsoft products, including Azure, Developer Tools, Edge-Chromium Browser, Microsoft Office, SQL Server, System Center, and Windows.