Follina, other flaws fixed in latest Microsoft patch on Tuesday

Application Security, Incident and Breach Response, Next Generation Technologies, and Secure Development

3 Critical RCE Exploits More Actively Exploited Zero-Day Fix

Prajeet Nair (@prajeetspeaks) •
June 16, 2022

Microsoft’s latest patch on Tuesday finally fixes a zero-day exploit after months of warnings from security researchers about a vulnerability that allows hackers to take control of Windows machines via a word processor.

See also: Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents

Earlier this year, the operating system giant announced that it would switch to continuous automatic updates rather than focusing on the second Tuesday of each month to release security patches. Patch Tuesday’s last hurray includes a belated fix for CVE-2022-30190, a remote code execution vulnerability named Follina by security researcher Kevin Beaumont due to a file reference’s numerical overlap with the callsign. regional of a small Italian town.

The vulnerability works when actors send malicious Office files such as a Word document that contains a link to an HTML file that runs code in the Microsoft Support Diagnostic Tool. It even works with macros disabled and when previewing, rather than opening, an Office file. Microsoft warns that an attacker who exploits Follina “can execute arbitrary code with the privileges of the calling application. The attacker can then install programs, view, modify or delete data, or create new accounts in the authorized context by the rights of the user”.

Until now, Microsoft’s solution was to ask system administrators to disable the Microsoft Support Diagnostic Tool’s ability to retrieve web pages.

CVE-2022-30190 was discovered by cybersecurity researchers in Japan, known on Twitter as @nao_sec, on May 27. They reported a malicious document that was submitted to malware scanning service VirusTotal from an IP address in Belarus. The vulnerability, @nao_sec said at the time, used “Word’s external link to load the HTML code, then used the ‘ms-msdt’ scheme to execute the PowerShell code” (see: Microsoft Office: Attackers Inject Code Via Zero-Day Bug).

“This vulnerability has been under attack for several months. This vulnerability patch must have been a late addition this month because although it appeared in the list of vulnerabilities in the Security Guide, it did not appear in the CVE breakdown for every patch,” says Todd Schell, senior product manager at cybersecurity firm Ivanti.

Cybersecurity company Proofpoint earlier this month detected attackers suspected of aligning themselves with an anonymous state actor attempting to use Follina to attack European and local US government entities. In late May, he reported that hackers linked to the Chinese government had launched a campaign to send malicious Word documents through the Central Tibetan Administration, the Tibetan government-in-exile to Dharamshala, India.

Critical vulnerabilities

Among the other five dozen security vulnerabilities patched in the latest Patch Tuesday are vulnerabilities affecting Microsoft Windows and Windows components; Microsoft Office and Office components; .NET and Visual Studio; Microsoft Edge (Chromium-based); SharePoint server; Windows Defender; Windows Lightweight Directory Access Protocol; Hyper-V Windows Server; Windows app store; Azure OMI, real-time operating system and Service Fabric container; and Windows Powershell.

The patches address vulnerabilities such as elevation of privilege, remote code execution, spoofing, denial of service, security feature bypass, and information disclosure, the page says. patch update.

The three remote code executions classified as “critical” on the severity scale are:


This is a Windows Network File System RCE exploit with a CVSS score of 9.8. This vulnerability allows remote attackers to execute privileged code on affected systems running Network File System. “NFS service on Windows isn’t enabled by default, but that’s no reason to be complacent. With a score of 9.8, if you share files and filesystems over a network with NFS , this should be high on the list to fix,” says Kev Breen, director of cyber threat research at cybersecurity firm Immersive Labs.


It is a Windows Hyper-V RCE with a CVSS score of 8.5. This bug “allows a user on a Hyper-V guest to run their code on the underlying Hyper-V host operating system,” says Dustin Childs, security analyst at Zero Day Initiative, which is managed by the cybersecurity company Trend Micro. Exploiting this flaw would allow an attacker to jump from a guest VM to the host and gain access to all running VMs.

“Microsoft has marked this vulnerability as less likely to be exploited. This is likely because the complexity is high and requires an attacker to gain a race condition. The nature of this condition is not disclosed. This will be of great value to attackers if a method to easily exploit it is discovered,” says Breen.


This is a Windows Lightweight Directory Access Protocol RCE vulnerability with a CVSS score of 6.5. “Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve the reliability of the exploit,” Microsoft says.

Other key vulnerabilities

Other key vulnerabilities addressed in the Patch Tuesday update include CVE-2022-30157 and CVE-2022-30158. Both of these vulnerabilities are Microsoft SharePoint Server RCE vulnerabilities and have a CVSS score of 8.8.

These would likely be exploited by an attacker “who already has the initial footing to move laterally on the network,” says Breen. “This could affect organizations that use SharePoint for internal wikis or document stores. Attackers could exploit this vulnerability to steal confidential information, replace documents with new versions containing malicious code, or create macros to infect other other systems.”

CVE-2022-30147, a Windows Installer elevation of privilege vulnerability with a CVSS score of 7.8, is marked as “most likely to be exploited” by Microsoft. This vulnerability is a local elevation of privilege vulnerability that can be exploited on both desktop and server environments.

Breen says, “Although the CVSS score is only 7.8, this type of vulnerability is almost always seen during a cyberattack. Once an attacker has gained initial access, they can elevate this level of initial access up to that of an administrator, where they can disable security tools. In the case of a ransomware attack, this exploits access to more sensitive data before encrypting the files.”

End of an era

Starting in July, the second Tuesday of each month will be just another Tuesday. The tech giant, which has released patches for vulnerabilities in its software on the second Tuesday of every month since 2016, is set to roll out automatic updates.

Windows Autopatch, which is expected to be released in July for enterprise customers, allows Microsoft to fix bugs for its users without any user effort. Windows Autopatch is also offered as a feature in Windows 10/11 Enterprise (see: Tuesday patch at the end; Microsoft announces automatic Windows fix).

Comments are closed.