This month appears to be a quiet Patch Tuesday, with only 55 new vulnerabilities being patched; 3 critical, 1 publicly disclosed and 1 exploited in the wild. This is a decrease of 18 total vulnerabilities compared to last month's release.
June’s instalment includes patches for some key software such as:
This remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights. Although not classified as critical this is the only vulnerability that has been publicly disclosed and has been seen in the wild.
This critical vulnerability could allow a hacker to trigger remote code execution. By sending a specially crafted packet call to a Network File System (NFS) a hacker could submit code to be executed by the system all while being unauthenticated. This vulnerability is more likely to be exploited due to not having to be authenticated by a system holding potentially sensitive data.
This critical vulnerability affects an unknown part of the component LDAP. The manipulation of an unknown input can lead to a privilege escalation vulnerability. Exploitation is known to be difficult but can be initiated remotely by a hacker. Simple authentication is necessary for this vulnerability to be exploited potentially providing some protection against novice hackers. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.
The last critical vulnerability would require the hacker to win a race condition. a successful attack could allow a hacker to traverse the guest's security boundary to execute code on the Hyper-V host execution environment.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2022-Jun
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
