Just a few hours in the past, we recorded this week’s Bare Safety podcast, proper on Patch Tuesday itself.
It was simply after 18:00 UK time after we hit the mics, which meant it was simply after 10:00 Microsoft HQ time, which meant we had entry to this month’s official June 2022 Safety Updates bulletin from Redmond itself simply earlier than we began.
In accordance with this bulletin, the CVEs fastened this month, listed in growing numeric order, are as follows:
CVE-2022-2007
CVE-2022-2008
CVE-2022-2010
CVE-2022-2011
CVE-2022-21123
CVE-2022-21125
[. . . .]
CVE-2022-30184
CVE-2022-30188
CVE-2022-30189 <---jumps from this
CVE-2022-30193 <---to this
CVE-2022-32230
As you may see, CVE-2022-30190, popularly often called Follina, isn’t on the listing.
We mentioned as a lot within the podcast, and inferred (as we count on you probably did, too), that Follina both wasn’t actually thought-about a bug, and due to this fact didn’t get fastened, or was nonetheless within the strategy of getting some type of repair that wasn’t prepared in time.
As you’ll little question recall (and as we’ll reveal and clarify in tomorrow’s stay Sophos Highlight safety webinar), we like to explain Follina as:
A characteristic that nobody actually wished, mixed with a characteristic nobody actually wanted, to provide a malware implantation exploit than nobody actually anticipated.
Merely put (however please be part of us tomorrow for that 30 minute jargon-free explainer session!), you need to use the Object Linking and Embedding (OLE) system in Home windows to inform an Workplace doc to fetch and show an HTML internet web page.
In that internet web page, you may embed a brief JavaScript program that references a little-known proprietary Microsoft URL beginning ms-msdt: so as to set off the Microsoft Help Diagnostic Software (MSDT).
(This, by the best way, is the characteristic we are able to’t think about anybody actually wished, provided that OLE is usually used for pulling photographs into displays or for embedding stay spreadsheet information into paperwork, not for beginning software program exams for domestically put in apps.)
Sadly, that ms-msdt: URL cannot solely be used to fireplace up the MSDT app, but additionally to feed it parameters so the consumer doesn’t want to decide on the troubleshooting settings from the same old menus, together with pre-identifying the app that wants testing by offering its exact path and filename.
And in that filename, you may embed a “metacommand” (a bit like Log4Shell or the current Atlassian Confluence bug) buried inside a $(...) sequence of characters.
That bizarre sequence $(...)is outwardly ignored when the system checks to see if the named app exists, so though there aren’t any apps with $(...) of their names that might match these characters, and though the troubleshooter ought to bail at this level, you don’t get an error and Home windows ploughs on regardless.
However when the system truly kicks off its troubleshooting, that bizarre filename apparently will get re-processed, and the character sequence contained in the $(...) markers isn’t used actually.
As an alternative, it’s executed as a PowerShell command that’s purported to generate the textual content that may truly be used at that time within the filename.
(That, after all, is the characteristic that we are able to’t think about anybody actually wanted, as helpful and as “proactive” because it may need appeared on the time.)
Run-what-you-want
Loosely talking, the embedded PowerShell code can do something you need it to, from popping up a calculator to opening a reverse shell for a ready cybercriminal (sure, we’ll present you ways that half works within the demo, and how one can cease it from taking place).
You don’t even have to open a booby-trapped file in Phrase itself, as a result of merely scrolling to an RTF file in File Explorer with the Preview Pane turned on is sufficient.
As you see right here, shifting the cursor to our take a look at file t1.rtf opened up the Home windows Troubleshooter robotically and popped up a calculator with none warning or Are you positive? message, based mostly on the sneaky JavaScript URL within the booby-trapped HTML file loaded by our booby-trapped docunent:
Mounted in any case
Having recorded the podcast, based mostly on the abovementioned June 2022 Safety Replace bulletin, we checked with our sister website, Sophos Information, the place SophosLabs had by then revealed its personal evaluation of that safety bulletin, protecting the CVEs within the official listing in helpful element.
However SophosLabs agrees: there was nonetheless no apparent signal of CVE-2022-30190 having been attended to!
Anyway, a short time after that, we observed reviews that the Follina bug was apparently “fastened” in any case.
So we put in 2022-06 Cumulative Replace for Home windows 11 for x64 (KB5014697), rebooted…
…and this time, though previewing our booby-trapped RTF triggered an online obtain and launched the troubleshooter, the Diagnostic Software appeared to detect that sneakily-hidden $(...) sequence within the filename specification as an unlawful worth, and produced error 0x80070057, the numeric code for INVALID_PARAMETER:
So, so far as we are able to see, the June 2022 Patch Tuesday does suppress this bug, no less than in our transient testing.
To be sure that the replace was certainly the change that did the trick, we uninstalled KB5014697, and the exploitable behaviour reappeared.
Due to this fact, CVE-2022-30190 bug does appear to have been recognised as a real safety flaw by Microsoft, and it has been patched, even in case you weren’t positive about that to start out with.
You’re welcome.
