Gina Sanders - stock.adobe.com
Ahead of the final Patch Tuesday, which true to precedent is due on Tuesday 14 June, analysts at Recorded Future are stepping into the breach, launching a monthly report that will detail the most impactful common vulnerabilities and exposures (CVEs) circulating.
And its inaugural edition contains some significant vulnerabilities, including several zero-days. Of these, the most critical is probably CVE-2022-30190, or Follina, which Recorded Future’s research unit, the Insikt Group, said it saw being exploited by China-linked threat actors on 30 May, barely 24 hours after initial disclosure.
“It was also later confirmed that the vulnerability was used in three threat actor campaigns prior to public disclosure, including a spear-phishing campaign targeting entities in Saudi Arabia. The exploitation before disclosure shows how quickly APT groups take advantage of major new exploits,” said the team.
“A key takeaway from the Follina disclosure is how fast attackers are using maldoc-based exploits now that Microsoft is turning off VBA-based macros by default,” they added.
“Security teams should prepare themselves for an eventful second half of the year as additional ways that Microsoft systems are vulnerable to maldoc exploits are likely to be discovered.”
The team said it was tracking several zero-days in a wide array of products and software including remote support tools, operating systems, Active Directory services and even graphics drivers. Of the seven most critical vulnerabilities listed, five were zero-days when disclosed, meaning users have had no time to patch before malicious actors started exploiting them.
“Mere vulnerability management alone is not sufficient,” the said. “Security teams are strongly encouraged to deploy a defence-in-depth approach across their networks.”
Read more about Follina
- Malicious Word documents have been used to invoke a previously undisclosed vulnerability in Microsoft Office without user interaction through Windows utility functions.
- A zero-day flaw in the Microsoft Support Diagnostic Tool has already been exploited in the wild. No patch is available yet, but Microsoft released temporary mitigations.
The full list of vulnerabilities, in order of severity, contained in the first edition of CVE Monthly is as follows:
- CVE-2022-30190 (Follina), a zero-day in Microsoft’s Windows remote support tool;
- CVE-2022-26925, a zero-day in Microsoft’s Windows security service;
- CVE-2022-26923, in Microsoft’s Windows directory service (Active Directory);
- CVE-2022-20821, a zero-day in Cisco’s IOS XR network operating system;
- CVE-2022-29104, in Microsoft Windows printer operations;
- CVE-2022-22675, a zero-day in Apple’s AppleAVD audio and video decoding service;
- CVE-2022-22674, a zero-day in Apple’s macOS graphics driver;
- And CVE-2022-26134, a zero-day in Atlassian’s Confluence collaboration software, which is significant but not listed as critical.
What’s up with Patch Tuesday?
Earlier this year, Microsoft announced Windows Autopatch, an automated service that will effectively take over patching duties from hard-pressed security admins.
The development of Windows Autopatch, which will be a feature of Windows Enterprise E3 licences and covers Windows 10, 11 and 365 for now, was driven by precisely this concern that the vast complexity of most IT environments has massively increased the number of potential vulnerabilities that teams need to keep on top of, leading to inevitable security gaps.
“This service will keep Windows and Office software on enrolled endpoints up to date automatically, at no additional cost,” said Microsoft’s Lior Bela at the time. “IT admins can gain time and resources to drive value. The second Tuesday of every month will be ‘just another Tuesday’.”