Press Release

Microsoft’s June 2022 Patch Tuesday Addresses 55 CVEs 

“Microsoft addressed CVE-2022-30136, a remote code execution vulnerability in the network file system that can be exploited by an unauthenticated attacker, assigning a CVSSv3 score of 9.8. This vulnerability does not affect versions 2 and 3 of Network File System (NFS). In terms of mitigation, Microsoft has proposed disabling NFS version 4.1. However, this may have adverse effects on systems, particularly for organizations that have not applied the May 2022 security update for CVE-2022-26937. Whenever possible, organizations are strongly encouraged to update with the most recent patches.

“Patches for CVE-2022-30190, the zero day known as Follina that was disclosed in late May, were also included in this month’s release. There was significant speculation leading up to Patch Tuesday about whether Microsoft would be releasing patches given Microsoft’s initial dismissal of the flaw and its widespread exploitation in the weeks since its public disclosure.

“On the subject of Microsoft’s troubling pattern of dismissing legitimate security concerns, Tenable researcher Jimi Sebree discovered and disclosed two vulnerabilities in Microsoft’s Azure Synapse Analytics, one of which has been patched and one which has not. Neither of these vulnerabilities were assigned CVE numbers or documented in Microsoft’s security update guide for June.”

Discussing the vulnerabilities discovered by Tenable researcher Jimi Sebree, Amit Yoran, Chairman and CEO at Tenable said in a LinkedIn Post yesterday:

“After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk. It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.”

“Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.” — Claire Tills, Senior Research Engineer at Tenable

Leave a Response