As well as fixing the already under attack Follina zero-day exploit, Microsoft has just confirmed three critical vulnerabilities that impact millions of Windows and Windows Server users.
Within the collection of 55 new Microsoft security updates, yes it’s Patch Tuesday time again, there are three that are rated as critical. The good news is that none of these, in fact, none of the 55 isted vulnerabilities, are known to currently be under exploitation in the wild. I can say that despite the CVE-2022-30190 Follina fix being distributed as, bizarrely, Microsoft didn’t list it among the vulnerabilities patched.
The three critical security flaws are as follows
CVE-2022-30136
CVE-2022-30136 impacts Windows Server (2012, 2016, 2019) users and is a remote code execution (RCE) threat that could be exploited over the network using a malicious call to a network file system (NFS) service. According to Mike Walters, cybersecurity executive and co-founder of Action1, it is believed “an exploit for this vulnerability has been developed, although this information has not been confirmed.” He also warns that “this June patch should only be applied after the May one has already been installed,” in reference to the CVE-2022-26937 patch last month.
CVE-2022-30139
CVE-2022-30139 impacts Windows (10 & 11) and Windows Server (2016, 2019, 20H2, 2022) users and is another RCE but this time impacting the Windows lightweight directory access protocol (LDAP) where default policy values have been changed. According to Vulnerability Database, while the full technical details are as yet unknown, “a simple authentication is necessary for exploitation.” While confirming no public exploit is available, the site suggests one could be worth between $5,000 and $25,000.
Advertisement
CVE-2022-30163
CVE-2022-30163 impacts Windows (7, 8.1, 10 & 11) and Windows Server (2008, 2012, 2016, 2019, 20H2 & 2022) users and is another arbitrary remote code execution vulnerability. This time it targets Windows Hyper-V host using a malicious application on a Hyper-V guest. According to the Trend Micro Zero Day Initiative, “Microsoft notes that attack complexity is high since an attacker would need to win a race condition. However, we have seen many reliable exploits demonstrated that involve race conditions, so take the appropriate step to test and deploy this update.”
Should you update your Windows or Windows Server platform immediately?
Obviously, as always, the takeaway is to update as soon as possible in order to shore up these security holes. Well, for consumers at least. The situation becomes more complex for organizations. “Businesses are typically slow in applying patches, yet I’d bet vulnerabilities are still the most common reason organizations are compromised,” Mark Lamb, CEO of HighGround.io, says. “Security standards, including the U.K. Cyber Essentials overview standard, encourage patches to be deployed within 14 days of release for both Operating Systems and Applications, but it’s not uncommon for organizations to take months to get their patches deployed.” Lamb recommends, where possible, businesses should be “diligent in approving and deploying patches on a weekly basis, because,” he says, “you don’t know what the next vulnerability is going to be and whether it could have been mitigated by consistent and diligent patching.”
