Vendor Vulnerabilities Published In June 2022
Vendor Vulnerabilities are a common cybersecurity challenge businesses face when introducing third-party products and services to their network. Whether it’s a security flaw located in a network, server or application, businesses relying on third party vendors are often the ones left to resolve the issues. To support you in resolving known vulnerabilities as quickly as possible, we have outlined some of the main third-party vendor vulnerabilities announced in June 2022. These include:
- Microsoft patched 60 vulnerabilities
- Google patches seven Chrome browser bugs
- Adobe patches 46 vulnerabilities
1. Microsoft patches 'Follina' zero-day flaw
June’s Patch Tuesday marks the third month in a row where Microsoft has issued an update to address a critical security vulnerability.
This month, the patched critical vulnerabilities included the widely exploited ‘Follina’ zero-day (CVE-2022-30190) disclosed on May 30th.
‘Follina’ zero-day
The vulnerability, in the Microsoft Diagnostic Tool (MSDT), gave attackers the opportunity to execute malicious code remotely through Microsoft Office documents, even with macros being disabled.
Microsoft has warned users that the zero-day allows malicious attackers to view or delete data, install programs and to create new accounts on compromised systems.
Other Microsoft vulnerabilities of interest
The zero-day is only one of 60 security updates that the company released this month to address the vulnerabilities throughout its product range, which includes:
- Windows
- Office
- Edge
- Visual Studio
- Windows Defender
- SharePoint Server
- Windows Lightweight Directory Access Protocol.
Out of 60, three bugs have been recognised as critical severity:
CVE-2022-30139
A remote code execution flaw found in the Windows Lightweight Access Protocol which allows attackers to execute privileged code on vulnerable systems.
CVE-2022-30136
A remote code execution vulnerability in the Windows Network File System (NFS).
CVE-2022-30163
A remote code execution vulnerability in Windows Hyper-V. This vulnerability could potentially give malicious actors a way to move from a guest virtual machine to a host in order to access any VM machines on the system.
CVE | Title | Severity | CVSS |
---|---|---|---|
CVE-2022-30157 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 |
CVE-2022-30158 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 |
CVE-2022-30165 | Windows Kerberos Elevation of Privilege Vulnerability | Important | 8.8 |
CVE-2022-30153 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Important | 8.8 |
CVE-2022-30161 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Important | 8.8 |
CVE-2022-30164 | Kerberos AppContainer Security Feature Bypass Vulnerability | Important | 8.4 |
CVE-2022-22021 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Moderate | 8.3 |
CVE-2022-30141 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Important | 8.1 |
2. Google patches seven Chrome browser bugs
This month, Google has patched seven vulnerabilities, four of which were rated as high risk.
Full details of the vulnerabilities have yet to be disclosed. In accordance with Google's policy of waiting for most users to apply the updates before revealing more information.
CVE-2022-2007
CVE-2022-2007 is one of four high risk vulnerabilities patched this month.The Use-After-Free (UAF) vulnerability in WebGPU allows malicious attackers to exploit incorrect use of dynamic memory during program operation to hack the program.
CVE-2022-2008
CVE-2022-2008 is an out-of-bounds flaw in WebGL, a JavaScript API used in Google Chrome. The vulnerability allows malicious attackers to read sensitive information they shouldn't be able to access.
CVE-2022-2010
CVE-2022-2010 is an out-of-bounds vulnerability in Google Chrome’s composite component.
CVE-2022-2011
CVE-2022-2011 a UAF vulnerability in ANGLE, an open source, cross-platform graphics engine abstraction layer used in the backend of Chrome.
It is advised that Chrome should be updated to the latest version which, at the point of writing, is 102.0.5005.115.
3. Adobe patches 46 vulnerabilities
This month, Adobe addressed 46 vulnerabilities across Adobe Illustrator, InDesign, InCopy, Bridge, Robohelp and Animate.
Adobe Illustrator vulnerabilities
Adobe Illustrator vulnerabilities accounted for 17 of the 46 vulnerabilities addressed in the June patch.
The most severe of the vulnerabilities could allow code execution if an affected system opens a specifically crafted file.
Adobe InDesign
Seven critical rated vulnerabilities were patched in Adobe InDesign. The bugs are arbitrary codes and are a mix of heap overflow, OOB Read, OOB Write and Use-After-Free (UAF).
Adobe InCopy
InCopy had 8 patched critical vulnerabilities. A successful exploitation could lead to arbitrary code execution.
Adobe Bridge
A total of 12 bugs were fixed in Adobe Bridge, 11 of which had a critical rating. Successful exploitation of these bugs could lead to arbitrary code execution, arbitrary file systems write and memory leak.
Adobe Animate
Adobe Animate received one patch for a critical-rated OOB Write that could lead to arbitrary code execution.
RoboHelp Server
Finally, RoboHelp Server 11 had one patch for a moderate rated vulnerability. The vulnerability allowed end users with non-administrative privileges to manipulate API requests and elevate their account privileges to that of a server administrator.
None of the bugs patched this month are under active attack at the time the patches were released.
Get our expert help
Identifying cyber security vulnerabilities without an expert’s eye can be a difficult task. At Secora Consulting, we offer a wide range of services which we tailor to meet our clients individual requirements.
Cyber Hygiene Assessment
Our Cyber Hygiene Assessment can support you in reducing exposure to cyber-attacks by gaining insight into weaknesses in your current cyber security posture and putting in place some good practice controls to increase your cyber defences.
Vulnerability Assessment
Our Vulnerability Assessment service can provide you with a prioritised list of your vulnerabilities and easy to follow remediation advice to immediately improve your cyber security posture.
Partner With Us Today
Partner with us today, our experienced consultants will go the extra mile to ensure your organisation stays secure by:
- Validating implemented security controls
- Prioritising your risks based on their exploitability and impact
- Providing expert and effective advice to immediately improve your cybersecurity posture
- Understanding how uncovered issues will affect your organisation, operations availability and profitability
Our services
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.