May 2022 Patch Tuesday provided the final releases for several Windows 10 operating systems and this month we’ll see the final update for Internet Explorer 11. But don’t go on that family vacation thinking there will be less work to do when you come back with fewer products to support, we have an actively exploited vulnerability to deal with and an anticipated normal release of updates.
The hot topic this month has been around CVE-2022-30190, also known as the Follina vulnerability. This vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows for remote code execution. This diagnostic tool sends troubleshooting information back to Microsoft when you have a problem on your local machine.
The vulnerability is exploited via malicious code included in a Word document, and what makes it particularly troublesome is the user doesn’t even have to open the document directly. Any Office program that provides a preview mode will trigger the exploit. This vulnerability has been under attack for several months.
Interestingly, Microsoft has only given this vulnerability a CVSS rating of 7.8 and severity of Important. While they have provided some guidance on protection, they have not committed to a fixed timeline. We all should be monitoring this closely, taking mitigation action based on risk to our systems and quickly deploying the update if/when it is available.
I mentioned last month that Internet Explorer is officially coming to an end (almost) on June 15th. If you still need IE 11 for critical business functionality, Microsoft recommends using IE mode in the Edge browser. This functionality is scheduled to be supported in Edge until 2029. Please consult this Microsoft FAQ for complete details on the end of life support for this application.
Windows 10 1909 Enterprise and Education, 20H2 Professional, and Windows Server 20H2 reached end of support last Patch Tuesday. You should be moving to a fully supported desktop or server version as soon as possible to minimize your exposure.
Make sure someone is watching ‘the store’ if you do take that family vacation. The news is full of recent attacks and exploitation. Symbiote software is invading Linux systems, infecting running processes and stealing critical data. A phishing operation on Facebook and Messenger drove millions of users to an infected portal where they entered their credentials and viewed advertisements for revenue generation.
Emotet malware has resurfaced and is distributing other malware packages onto compromised systems. Just because we step away from the patch game for a while doesn’t mean our adversaries take time off too.
June 2022 Patch Tuesday forecast
- We hope to see a fix for CVE-2022-30190 in this month’s operating systems updates. These should include updates for Office and Sharepoint Server as well. Exchange Server and .NET framework were updated last month so we may get a break there. It’s been a long time since we had a SQL Server update on Patch Tuesday, so maybe one will surface?
- Adobe Acrobat and Reader were last updated in April, so be on the lookout for a minor update this month. If not, we will be due for a major one on July Patch Tuesday.
- A macOS Big Sur security update was released today, so a Monterey release may be right around the corner. The last Monterey security update came in mid-May. Regardless, make sure your Big Sur systems are up-to-date.
- Google released both the desktop stable channel and extended stable channel updates numbered 102.0.5005.115 today. The beta channel for ChromeOS was updated yesterday, so the stable version may be updated next week.
- Firefox, Firefox ESR and Thunderbird were all updated on May 31st. I would expect a minor update next week for these applications.
Internet Explorer has been a staple of the Windows operating system for so long, it is hard to believe it is finally disappearing. Enjoy your vacation!