A number of hours in the past, we recorded this week’s Bare Safety podcast, proper on Patch Tuesday itself.

It was simply after 18:00 UK time after we hit the mics, which meant it was simply after 10:00 Microsoft HQ time, which meant we had entry to this month’s official June 2022 Safety Updates bulletin from Redmond itself simply earlier than we began.

In response to this bulletin, the CVEs mounted this month, listed in growing numeric order, are as follows:

    [. . . .]
    CVE-2022-30189    <---jumps from this
    CVE-2022-30193    <---to this

As you may see, CVE-2022-30190, popularly often called Follina, isn’t on the record.

We mentioned as a lot within the podcast, and inferred (as we anticipate you probably did, too), that Follina both wasn’t actually thought-about a bug, and subsequently didn’t get mounted, or was nonetheless within the technique of getting some kind of repair that wasn’t prepared in time.

As you’ll little question recall (and as we’ll reveal and clarify in tomorrow’s reside Sophos Highlight safety webinar), we like to explain Follina as:

A characteristic that nobody actually needed, mixed with a characteristic nobody actually wanted, to supply a malware implantation exploit than nobody actually anticipated.

Merely put (however please be part of us tomorrow for that 30 minute jargon-free explainer session!), you need to use the Object Linking and Embedding (OLE) system in Home windows to inform an Workplace doc to fetch and show an HTML net web page.

In that net web page, you may embed a brief JavaScript program that references a little-known proprietary Microsoft URL beginning ms-msdt: in an effort to set off the Microsoft Assist Diagnostic Device (MSDT).

(This, by the best way, is the characteristic we are able to’t think about anybody actually needed, provided that OLE is often used for pulling photographs into displays or for embedding reside spreadsheet knowledge into paperwork, not for beginning software program exams for domestically put in apps.)

Sadly, that ms-msdt: URL can’t solely be used to fireside up the MSDT app, but additionally to feed it parameters so the consumer doesn’t want to decide on the troubleshooting settings from the same old menus, together with pre-identifying the app that wants testing by offering its exact path and filename.

And in that filename, you may embed a “metacommand” (a bit like Log4Shell or the latest Atlassian Confluence bug) buried inside a $(...) sequence of characters.

That bizarre sequence $(...)is seemingly ignored when the system checks to see if the named app exists, so despite the fact that there aren’t any apps with $(...) of their names that would match these characters, and despite the fact that the troubleshooter ought to bail at this level, you don’t get an error and Home windows ploughs on regardless.

However when the system truly kicks off its troubleshooting, that bizarre filename apparently will get re-processed, and the character sequence contained in the $(...) markers isn’t used actually.

As an alternative, it’s executed as a PowerShell command that’s speculated to generate the textual content that may truly be used at that time within the filename.

(That, in fact, is the characteristic that we are able to’t think about anybody actually wanted, as helpful and as “proactive” because it might need appeared on the time.)


Loosely talking, the embedded PowerShell code can do something you need it to, from popping up a calculator to opening a reverse shell for a ready cybercriminal (sure, we’ll present you the way that half works within the demo, and learn how to cease it from taking place).

You don’t even must open a booby-trapped file in Phrase itself, as a result of merely scrolling to an RTF file in File Explorer with the Preview Pane turned on is sufficient.

As you see right here, shifting the cursor to our check file t1.rtf opened up the Home windows Troubleshooter routinely and popped up a calculator with none warning or Are you certain? message, based mostly on the sneaky JavaScript URL within the booby-trapped HTML file loaded by our booby-trapped docunent:

Mounted in any case

Having recorded the podcast, based mostly on the abovementioned June 2022 Safety Replace bulletin, we checked with our sister website, Sophos Information, the place SophosLabs had by then printed its personal evaluation of that safety bulletin, masking the CVEs within the official record in helpful element.

However SophosLabs agrees: there was nonetheless no apparent signal of CVE-2022-30190 having been attended to!

Anyway, a short time after that, we seen experiences that the Follina bug was apparently “mounted” in any case.

So we put in 2022-06 Cumulative Replace for Home windows 11 for x64-based Methods (KB5014697), rebooted…

…and this time, despite the fact that previewing our booby-trapped RTF triggered an internet obtain and launched the troubleshooter, the Diagnostic Device appeared to detect that sneakily-hidden $(...) sequence within the filename specification as an unlawful worth, and produced error 0x80070057, the numeric code for INVALID_PARAMETER:

We repeated the check with Home windows 10, the place (on our system) the replace introduced itself as 2022-06 Cumulative Replace for Home windows 10 Model 21H2 for x64-based Methods (KB5014699).

As on Home windows 11, we might trivially exploit he bug (utilizing the most recent Microsfoft 365 flavour of Workplace) earlier than the replace; couldn’t accomplish that afterwards; and will as soon as once more exploit it after rolling again the replace.

So, so far as we are able to see, the June 2022 “Patch Tuesday” replace does suppress this bug, at the very least in our temporary testing.

As talked about above, we checked to see that the replace was certainly the change that did the trick, by uninstalling KB5014697 (or KB5014699), and verifying that the exploit beginning working as soon as once more.

Subsequently, the CVE-2022-30190 bug does appear to have been recognised as a real safety flaw by Microsoft, and it has been patched, even in case you weren’t certain about that to start out with, and even when it’s not formally acknowledged within the FAQs, Mitigations, and Workarounds part of this month’s safety bulletin.

You’re welcome.


By admin

Leave a Reply

Your email address will not be published.