Microsoft patches Follina vulnerability (CVE-2022-30190) in Windows with June 2022 updates

Windows[German]The security updates for Windows released on June 14, 2022, also closed the vulnerability in the ms-msdt: protocol that allowed the misuse of the Microsoft Support Diagnostics Utility. The vulnerability known as Follina, CVE-2022-30190, is already being exploited in attacks. Microsoft does not write anything about this fix in the support articles for the individual updates. Therefore, I summarize the relevant information in the following post.

Vulnerability CVE-2022-30190 (Follina)

The vulnerability CVE-2022-30190 (aka Follina) which has been public since late May 2022, allows to abuse the Microsoft Support Diagnostics Utility (msdt.exe) via the ms-msdt: protocol to download malicious Word documents (or Excel spreadsheets) from the web. In addition, ways to abuse via Wget in PowerShell are also known. The attacker can exploit the vulnerability to execute remote code with the privileges of the calling application.

I had covered this issue on the blog in posts including Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190) and Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks (see also links at the end of the article). Windows Server 2019 and Windows 10 version 1809 and later are affected, according to Microsoft, which has now released patches for all versions of Windows (clients and servers).

Patch with the June 2022 updates

Microsoft also patched the CVE-2022-30190 (Follina) vulnerability with the June 14, 2022 Windows security updates, but did not mention this in the KB articles in question (Will Dormann noticed this as well). I had pointed it out in the posts linked at the end of the article. The indication that something related to this vulnerability has been patched can be found in the Microsoft article Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability dated May 30, 2022, where a short note can be found as an addendum.

06/14/2022 – Announced updates that address the vulnerability.

Microsoft published more details in the May 30, 2022 article for CVE-2022-30190, which was also updated as of June 14, 2022. This article lists the following security updates to close the vulnerability. 

  • KB5014678: Windows Server 2022
  • KB5014697: Windows 11
  • KB5014699: Windows 10 Version 20H2 – 21H2, Windows Server 20H2
  • KB5014692: Windows 10 Version 1809 (IoT), Windows Server 2019
  • KB5014702: Windows 10 1607 (LTSC), Windows Server 2016
  • KB5014710: Windows 10 1507 (RTM, LTSC)
  • KB5014738: Monthly Rollup Windows Server 2012 R2, Windows RT 8.1, Windows 8.1
  • KB5014746: Security only Windows Server 2012 R2, Windows RT 8.1, Windows 8.1
  • KB5014747: Monthly Rollup Windows Server 2012
  • KB5014741: Security only Windows Server 2012
  • KB5014748: Monthly Rollup Windows Server 2008 R2, Windows 7 SP1
  • KB5014742: Security only Windows Server 2008 R2, Windows 7 SP1

This means that appropriate security updates are available for all Windows Server and client versions that are still in support. The vulnerability is rated as "important", i.e. the updates should be installed promptly to prevent the already observed exploitation.

Criticism comes from security companies like Tenable regarding Microsoft's information policy. The vulnerabilities became known in May 2022, but there had been attempts at exploitation for six weeks. In the run-up to Patch Tuesday, there was a lot of speculation about whether Microsoft would release patches, they say. In addition, Microsoft initially downplayed the vulnerability, even though it was already being exploited, it said. And the information that Follina has been patched also has to be pieced together, as I mentioned above. Overall, Microsoft's security update information is getting sparser (see also my notes on details of what was patched in the blog post Patchday: Windows 11/Server 2022 Updates (June 14, 2022). Microsoft's hints to mitigate the vulnerabilities were also not sufficient, as various discussions around the Follina posts here on the blog show. 

Similar articles:
Microsoft Security Update Summary (June 14, 2022)
Patchday: Windows 10-Updates (June 14, 2022)
Patchday: Windows 11/Server 2022 Updates (June 14, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (June 14, 2022)

Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190)
Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks
0Patch Micro patch against Follina vulnerability (CVE-2022-30190) in Windows
Follina (CVE-2022-30190): No major attack wave, but campaigns on EU/US and other targets
Windows Vulnerability Follina (CVE-2022-30190): New findings, new risks (June 9, 2022)

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

One Response to Microsoft patches Follina vulnerability (CVE-2022-30190) in Windows with June 2022 updates

  1. Diego says:

    KB5011497 and/Or kb5014738 breaks Terminal Server Gateway in windows server 2012

Leave a Reply

Your email address will not be published. Required fields are marked *