A few hours ago, we recorded this week’s Naked Security Podcast, Patch Tuesday.
It’s just after 18:00 UK time when we hit the mics, which means it’s exactly after 10:00 Microsoft HQ time, which means we had official access this month. June 2022 Security Update Bulletin from Redmond just before we started.
According to this bulletin, the CVEs listed this month, listed in increasing numerical order, are as follows:
CVE-2022-2007
CVE-2022-2008
CVE-2022-2010
CVE-2022-2011
CVE-2022-21123
CVE-2022-21125
[. . . .]
CVE-2022-30184
CVE-2022-30188
CVE-2022-30189 <---jumps from this
CVE-2022-30193 <---to this
CVE-2022-32230
As you can see, CVE-2022-30190As popular FolinaNot on the list.
As far as we’ve said in the podcast, and guessed (as we hope you did), that Follina wasn’t really considered a bug, and so it wasn’t fixed, or was still in the process of getting something ready just in time.
You’ll definitely remember (and we’ll show and explain in tomorrow’s Live Sophos Spotlight Safety Webinar tomorrow), we would like to describe Folina as:
A feature that no one really wanted, combined with a feature that no one really needed, to create a malware implant exploitation that no one really expected.
Simply put (but please join us tomorrow for that 30 minute jargon-free explanatory session!), You can use Object linking and embedding The Windows (OLE) system requires an Office document to fetch and display an HTML web page.
On that web page, you can embed a small JavaScript program that starts with a little-known proprietary Microsoft URL ms-msdt: To trigger Microsoft Support Diagnostic Tool (MSDT).
(However, this is a feature we can’t really imagine, since OLE is typically used to drag images into a presentation or embed live spreadsheet data in a document, not to start software testing for locally installed apps.)
Unfortunately, that ms-msdt: The URL can be used not only to fire the MSDT app, but also to feed its parameters so that the user does not have to select troubleshooting settings from the normal menu, including pre-identifying the app that needs to be tested by specifying the app’s specific path. Including and file name.
And in the name of that file, you can embed a “metacommand” (a bit like Log4Shell or a recent Atlasian Confusion bug) $(...) Character order.
That’s the weird sequence $(...)Apparently ignored when the system checks whether the named app exists, even though there is no app with it $(...) In their names that match those letters, and although the troubleshooter should be bailed out at this point, you won’t find any errors and Windows will continue to plow regardless.
But when the system actually stops solving its problems, the name of that weird file is apparently reprocessed and the alphabetical order inside it $(...) Markers are not used literally.
Instead, it is Executed as a PowerShell command The text that is generated assumes that the file name will actually be used at that time.
(Of course, this is a feature we can’t imagine that anyone really needs, as useful and “proactive” as it seemed at the time.)
Whatever you want
Simply put, embedded PowerShell code can do whatever you want, from popping up a calculator to opening a reverse shell for a waiting cyber criminal (yes, we’ll show you how that part works in a demo and how to turn it off.) Can be done. From happening).
You don’t even have to open a booby-trap file in Word, because scrolling through an RTF file in File Explorer Preview blade Enough to turn.
As you can see here, the cursor is being moved in our test file t1.rtf Opened Windows Troubleshooter A calculator pops up automatically and without any warning Are you sure? The message is based on the JavaScript URL hidden in the Booby-Trapped HTML file loaded by our Booby-Trapped document:
Stable after all
Having a podcast record, based on June 2022 Security Update The bulletin we mentioned above, we checked with our sister site, Sophos News, where SophosLabs had published its own analysis of the security bulletin that covered CVEs in the official list. Useful details.
But SophosLabs agrees: No clear signs of appearing on CVE-2022-30190 yet!
Shortly afterwards, however, we noticed reports that the Folina bug had apparently become “fixed.”
So we installed 2022-06 incremental update for Windows 11 for x64-based systems (KB5014697)Rebooted …
And this time, although our booby-trapped RTF triggered a web download and launched Troubleshooter, the diagnostic tool seemed to detect the hidden $(...) The numeric code for the file name specification as an invalid value sequence, and the error generated is 0x80070057. INVALID_PARAMETER:
We repeated the test with Windows 10, where (on our system) the update announced itself 2022-06 incremental update for Windows 10 version 21H2 for x64 based systems (KB5014699).
Like Windows 11, we may use Hay Bugs (using the latest Microsoft 365 flavor in the office) before the update; Could not do it later; And it can be used again after the update roll back.
So, as far as we can see, the June 2022 “Patch Tuesday” update at least suppressed this bug in our brief test.
As mentioned above, by uninstalling KB5014697 (or KB5014699) and verifying that the exploit has started working again, we have tested the update to see the change that the strategy has made.
Therefore, the CVE-2022-30190 bug appears to have been recognized by Microsoft as an actual security flaw, and it has been patched, even if you are not sure how to get started with it, and although it is not officially recognized. Frequently Asked Questions, Modifications, and Solutions Section of this month’s security bulletin.
You are welcome
