A number of hours in the past, we recorded this week’s Bare Safety podcast, proper on Patch Tuesday itself.
It was simply after 18:00 UK time once we hit the mics, which meant it was simply after 10:00 Microsoft HQ time, which meant we had entry to this month’s official June 2022 Safety Updates bulletin from Redmond itself simply earlier than we began.
In accordance with this bulletin, the CVEs fastened this month, listed in growing numeric order, are as follows:
CVE-2022-2007 CVE-2022-2008 CVE-2022-2010 CVE-2022-2011 CVE-2022-21123 CVE-2022-21125 [. . . .] CVE-2022-30184 CVE-2022-30188 CVE-2022-30189 <---jumps from this CVE-2022-30193 <---to this CVE-2022-32230
As you possibly can see, CVE-2022-30190, popularly generally known as Follina, isn’t on the record.
We stated as a lot within the podcast, and inferred (as we anticipate you probably did, too), that Follina both wasn’t actually thought of a bug, and subsequently didn’t get fastened, or was nonetheless within the technique of getting some kind of repair that wasn’t prepared in time.
As you’ll little doubt recall (and as we are going to display and clarify in tomorrow’s dwell Sophos Highlight safety webinar), we like to explain Follina as:
A characteristic that nobody actually needed, mixed with a characteristic nobody actually wanted, to supply a malware implantation exploit than nobody actually anticipated.
Merely put (however please be a part of us tomorrow for that 30 minute jargon-free explainer session!), you should utilize the Object Linking and Embedding (OLE) system in Home windows to inform an Workplace doc to fetch and show an HTML internet web page.
In that internet web page, you possibly can embed a brief JavaScript program that references a little-known proprietary Microsoft URL beginning ms-msdt:
with a purpose to set off the Microsoft Help Diagnostic Software (MSDT).
(This, by the way in which, is the characteristic we are able to’t think about anybody actually needed, on condition that OLE is often used for pulling photos into shows or for embedding dwell spreadsheet knowledge into paperwork, not for beginning software program assessments for domestically put in apps.)
Sadly, that ms-msdt:
URL can’t solely be used to fireplace up the MSDT app, but in addition to feed it parameters so the person doesn’t want to decide on the troubleshooting settings from the standard menus, together with pre-identifying the app that wants testing by offering its exact path and filename.
And in that filename, you possibly can embed a “metacommand” (a bit like Log4Shell or the latest Atlassian Confluence bug) buried inside a $(...)
sequence of characters.
That bizarre sequence $(...)
is outwardly ignored when the system checks to see if the named app exists, so although there aren’t any apps with $(...)
of their names that might match these characters, and although the troubleshooter ought to bail at this level, you don’t get an error and Home windows ploughs on regardless.
However when the system really kicks off its troubleshooting, that bizarre filename apparently will get re-processed, and the character sequence contained in the $(...)
markers isn’t used actually.
As an alternative, it’s executed as a PowerShell command that’s presupposed to generate the textual content that can really be used at that time within the filename.
(That, after all, is the characteristic that we are able to’t think about anybody actually wanted, as helpful and as “proactive” because it may need appeared on the time.)
Run-what-you-want
Loosely talking, the embedded PowerShell code can do something you need it to, from popping up a calculator to opening a reverse shell for a ready cybercriminal (sure, we’ll present you ways that half works within the demo, and the right way to cease it from occurring).
You don’t even have to open a booby-trapped file in Phrase itself, as a result of merely scrolling to an RTF file in File Explorer with the Preview Pane turned on is sufficient.
As you see right here, shifting the cursor to our take a look at file t1.rtf
opened up the Home windows Troubleshooter robotically and popped up a calculator with none warning or Are you positive?
message, based mostly on the sneaky JavaScript URL within the booby-trapped HTML file loaded by our booby-trapped docunent:
Mounted in any case
Having recorded the podcast, based mostly on the abovementioned June 2022 Safety Replace bulletin, we checked with our sister website, Sophos Information, the place SophosLabs had by then revealed its personal evaluation of that safety bulletin, protecting the CVEs within the official record in helpful element.
However SophosLabs agrees: there was nonetheless no apparent signal of CVE-2022-30190 having been attended to!
Anyway, a short time after that, we seen stories that the Follina bug was apparently “fastened” in any case.
So we put in 2022-06 Cumulative Replace for Home windows 11 for x64 (KB5014697), rebooted…
…and this time, although previewing our booby-trapped RTF triggered an internet obtain and launched the troubleshooter, the Diagnostic Software appeared to detect that sneakily-hidden $(...)
sequence within the filename specification as an unlawful worth, and produced error 0x80070057, the numeric code for INVALID_PARAMETER
:
So, so far as we are able to see, the June 2022 Patch Tuesday does suppress this bug, at the least in our temporary testing.
To make it possible for the replace was certainly the change that did the trick, we uninstalled KB5014697, and the exploitable behaviour reappeared.
Due to this fact, CVE-2022-30190 bug does appear to have been recognised as a real safety flaw by Microsoft, and it has been patched, even when you weren’t positive about that to begin with.
You’re welcome.