Microsoft has rolled out its monthly Patch Tuesday updates for June 2022 which addresses numerous vulnerabilities. Users must ensure they update their systems at their earliest to receive all the fixes.
Microsoft June Patch Tuesday Security Updates
The June Patch Tuesday updates from Microsoft bring fixes for 55 vulnerabilities affecting different Microsoft components.
These include three critical severity remote code execution flaws affecting the following components.
- CVE-2022-30136 (CVSS 9.8) – a Windows Network File System RCE that an attacker could trigger via a maliciously crafted call to NFS.
- CVE-2022-30139 (CVSS 7.5) – a Windows Lightweight Directory Access Protocol (LDAP) RCE not exploitable under the default MaxReceiveBuffer LDAP policy values. However, with higher values, exploitation would become possible.
- CVE-2022-30163 (CVSS 8.5) – a Windows Hyper-V RCE allowed an attacker to execute codes by running specially crafted apps on Hyper-V guest. Exploiting this bug required the adversary to win race condition.
Apart from these, the latest updates also address 51 important-severity bugs, with many leading to remote code execution attacks.
Likewise, a moderate-severity RCE bug also affected the Microsoft Edge browser. Identified as CVE-2022-22021, the vulnerability achieved a CVSS score of 8.3. An attacker winning race condition could exploit the flaw to gain sandbox escape. Describing the contrast in the bug’s severity rating and CVSS score, Microsoft stated in its advisory,
Per our severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity, specifically it says, “If a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded”.
Exploiting this bug required an adversary to trick the target victim into visiting a maliciously crafted website. But, since such exploitation won’t always be possible, the bug received a lower severity rating.
Nonetheless, attackers may exploit the flaw in phishing campaigns. Therefore, users must rush to update their respective devices’ Microsoft Edge browser version.
And this isn’t necessary for Edge browser only. Instead, users should update their systems using different Microsoft components to receive the relevant patches.