Microsoft has released the new June 2022 Windows Security Update that patches a critical operating system vulnerability known as Follina that is being actively exploited in persistent attacks.
“Microsoft strongly recommends that customers install updates to fully protect against the vulnerability,” the company said. Customers whose systems are set up to receive automatic updates do not need to take any further action.
The company also urged customers through a posting through the Microsoft Security Response Center to install the updates as soon as possible.
Tracked as CVE-2022-30190, Microsoft described the vulnerability as a Windows Support Diagnostic Tool Remote Code Execution bug that affects all versions of Windows still receiving security updates.
Attackers who successfully exploit this vulnerability can execute arbitrary code with application privileges to install programs, view, change, or delete data.
It also allows attackers to create new Windows accounts as the rights of the vulnerable user allow.
Moreover, Follina exploits allow attackers to execute malicious PowerShell commands via Windows Support Diagnostics is what Microsoft describes as abusive code execution attacks when opening or previewing Word documents.
The patch does not prevent Office from automatically loading Windows URI handles without user interaction. But it prevents PowerShell injection and disables this attack method.
Microsoft fixes a major security bug
The Follina vulnerability has been exploited in attacks for a while by state-backed actors and cybercrime with various goals.
Chinese hacking group TA413 exploited the bug in attacks targeting the Tibetan diaspora. It was also used by a second group allied to the state in phishing attacks against government agencies in the United States and the European Union.
Follina is also now being exploited by the TA570 group in phishing campaigns to infect recipients with Qbots.
The first attacks that exploited this flaw began in mid-April. And this is through threats of sexual blackmail and invitations to interviews on Radio Sputnik as bait.
The Cybersecurity and Infrastructure Security Agency is also urging Windows administrators and users to disable the Windows Support Diagnostic Tool protocol that was misused in these attacks. This is in light of Microsoft’s reports of active exploitation of the bug.
The security researcher who reported the vulnerability to Microsoft’s security team in April said the company rejected its initial submission, calling it not a security issue.
However, according to the researcher, Microsoft engineers later closed the report sending the error describing it as a remote code execution issue.