May 2022 Patch Tuesday delivered the final builds of several Windows 10 operating systems and this month we’ll see the final update for Internet Explorer 11. But don’t go on a family vacation thinking that there will be less work to do when you return. with fewer products to support, we have an actively exploited vulnerability to address and normal early release of updates.
This month’s hot topic is CVE-2022-30190, also known as the Follina vulnerability. This vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) allows remote code execution. This diagnostic tool returns troubleshooting information to Microsoft when you encounter a problem on your local computer.
The vulnerability is exploited through malicious code embedded in a Word document, and what makes it particularly troublesome is that the user doesn’t even need to open the document directly. Any Office program that provides preview mode will trigger the exploit. This vulnerability has been under attack for several months.
Interestingly, Microsoft has only assigned this vulnerability a CVSS rating of 7.8 and an Important severity. Although they provided advice on protection, they did not commit to a fixed timetable. We should all monitor this closely, take risk-based mitigations to our systems, and quickly deploy the update if/when available.
I mentioned last month that Internet Explorer is officially ends (almost) on June 15th. If you still need IE 11 for critical business features, Microsoft recommends using IE mode in the Edge browser. This feature is expected to be supported in Edge until 2029. Please see this Microsoft Frequently Asked Questions for details on end-of-life support for this application.
Windows 10 1909 Enterprise and Education, 20H2 Professional, and Windows Server 20H2 reached end of support last Tuesday. You should migrate to a fully supported desktop or server version as soon as possible to minimize your exposure.
Make sure someone is watching “the store” if you’re taking a family vacation. The news is full of recent attacks and exploitations. Symbiote software invades Linux systems, infects running processes and steals critical data. A phishing operation on Facebook and Messenger led millions of users to an infected portal where they entered their credentials and viewed advertisements to generate revenue.
Emotet malware has resurfaced and is distributing other malware packages on compromised systems. Just because we’re stepping away from the patch game for a while doesn’t mean our opponents are also taking time off.
June 2022 Patch Tuesday Predictions
- We hope to see a fix for CVE-2022-30190 in OS updates this month. These should also include updates for Office and Sharepoint Server. Exchange Server and .NET Framework were updated last month so we can take a break there. It’s been a while since we’ve had a SQL Server update on Patch Tuesday, so maybe one will surface?
- Adobe Acrobat and Reader were last updated in April, so be on the lookout for a minor update this month. If not, we will have a major event on July Patch Tuesday.
- A macOS Big Sur security update was released today, so a Monterey release may be imminent. Monterey’s latest security update arrived in mid-May. Either way, make sure your Big Sur systems are up to date.
- Google today released both the Desktop Stable Channel and Extended Stable Channel updates numbered 102.0.5005.115. The beta channel for ChromeOS was updated yesterday, so the stable version could be updated next week.
- Firefox, Firefox ESR, and Thunderbird were all updated on May 31. I would expect a minor update next week for these apps.
Internet Explorer has been a staple of the Windows operating system for so long that it’s hard to believe it’s finally going away. Enjoy your holidays!