It was just a week ago that I warned of a 0-day hack, enabling an attacker to remotely execute code on most versions of Microsoft Windows and Windows Server, was already being exploited in the wild. The attacks employed malicious Microsoft Office documents, but not with the usual macro-based methodology. Instead, Follina, as CVE-2022-30190 quickly became known, used vulnerabilities in the Microsoft Windows Support Diagnostic Tool (MSDT) and could even execute without the need to open the document in some exploit scenarios.
As no emergency, out-of-band, fix was forthcoming, it was hoped that the June Patch Tuesday security update would include Follina. However, with that Patch Tuesday rollout happening yesterday, there was no mention of CVE-2022-30190 in the documented fixes. At first, this seemed to suggest that Microsoft (which still hasn’t responded to my request for a statement regarding Follina, by the way) was going with the ‘it’s a feature, not a bug’ defense. However, despite CVE-2022-30190 being conspicuous by its absence, it appears that was not the case.
The Microsoft Security Update Guide entry for CVE-2022-30190 has been edited to read: “A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.” Scrolling down to the FAQ section, the confirmation is complete with this answer to the is there an update available question: “Yes, the updates are available. Microsoft recommends installing the June updates as soon as possible.”
You know what to do, install the June 2022 Patch Tuesday updates as soon as is possible.