• June 3, 2023

Motorola Razr 40 Battles Samsung With Aggressive New Deals

Motorola isn’t playing games. The company has launched its two new foldable flip phones – the Razr 40 and 40 Ultra (also called the Razr +) – at aggressive price points, …

New MacBook Air Leak Reveals Apple’s Disappointing Decision

Apple has its new Mac hardware ready to launch at next week’s Worldwide Developer Conference. The M2 Max and M2 Ultra Apple Silicon chipsets build on the one-year-old M2 chipset, offering …

Apple Reality Pro VR Headset: New Leak Reveals Unprecedented Detail

Okay, brace yourself. The first all-new product category from Apple since the unveiling of Apple Watch in late 2014 is about to be revealed it seems. It’s a new mixed-reality headset …

As well as fixing the already under attack Follina zero-day exploit, Microsoft has just confirmed three critical vulnerabilities that impact millions of Windows and Windows Server users.

Within the collection of 55 new Microsoft security updates, yes it’s Patch Tuesday time again, there are three that are rated as critical. The good news is that none of these, in fact, none of the 55 isted vulnerabilities, are known to currently be under exploitation in the wild. I can say that despite the CVE-2022-30190 Follina fix being distributed as, bizarrely, Microsoft didn’t list it among the vulnerabilities patched.

The three critical security flaws are as follows


CVE-2022-30136 impacts Windows Server (2012, 2016, 2019) users and is a remote code execution (RCE) threat that could be exploited over the network using a malicious call to a network file system (NFS) service. According to Mike Walters, cybersecurity executive and co-founder of Action1, it is believed “an exploit for this vulnerability has been developed, although this information has not been confirmed.” He also warns that “this June patch should only be applied after the May one has already been installed,” in reference to the CVE-2022-26937 patch last month.


CVE-2022-30139 impacts Windows (10 & 11) and Windows Server (2016, 2019, 20H2, 2022) users and is another RCE but this time impacting the Windows lightweight directory access protocol (LDAP) where default policy values have been changed. According to Vulnerability Database, while the full technical details are as yet unknown, “a simple authentication is necessary for exploitation.” While confirming no public exploit is available, the site suggests one could be worth between $5,000 and $25,000.



CVE-2022-30163 impacts Windows (7, 8.1, 10 & 11) and Windows Server (2008, 2012, 2016, 2019, 20H2 & 2022) users and is another arbitrary remote code execution vulnerability. This time it targets Windows Hyper-V host using a malicious application on a Hyper-V guest. According to the Trend Micro Zero Day Initiative, “Microsoft notes that attack complexity is high since an attacker would need to win a race condition. However, we have seen many reliable exploits demonstrated that involve race conditions, so take the appropriate step to test and deploy this update.”

Should you update your Windows or Windows Server platform immediately?

Obviously, as always, the takeaway is to update as soon as possible in order to shore up these security holes. Well, for consumers at least. The situation becomes more complex for organizations. “Businesses are typically slow in applying patches, yet I’d bet vulnerabilities are still the most common reason organizations are compromised,” Mark Lamb, CEO of HighGround.io, says. “Security standards, including the U.K. Cyber Essentials overview standard, encourage patches to be deployed within 14 days of release for both Operating Systems and Applications, but it’s not uncommon for organizations to take months to get their patches deployed.” Lamb recommends, where possible, businesses should be “diligent in approving and deploying patches on a weekly basis, because,” he says, “you don’t know what the next vulnerability is going to be and whether it could have been mitigated by consistent and diligent patching.”


Leave a Reply

Your email address will not be published.