Microsoft’s June 2022 Patch Tuesday Updates Fix Several Remote Code Execution Vulnerabilities

Windows 11

Microsoft has released yesterday the June 2022 Patch Tuesday updates for Windows 11 and Windows 10, which include 60 security fixes for remote code execution vulnerabilities, information disclosures, and more. Windows 11 users are also getting a new feature this month with Windows Spotlight wallpapers coming to the desktop. 

Serious bugs patched in June 2022

Here are the most important security fixes that Microsoft released as part of the June 2022 Patch Tuesday updates, which include patches for three critical vulnerabilities: 

  • CVE-2022-30163: This Windows Hyper-V Remote Code Execution Vulnerability could allow attackers to run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code.
  • CVE-2022-30139: This RCE vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. 
  • CVE-2022-30136: This RCE vulnerability in the Windows Network File system could be exploited over the network by attackers making an unauthenticated, specially crafted call to a Network File System (NFS) service. However, this vulnerability is not exploitable in NFSV2.0 or NFSV3.0. 

Quality and experience updates

The KB5014697 patch (build 22000.739) for Windows 11 gives users the option to personalize their background with Windows Spotlight wallpapers. Windows Spotlight already offers a rotating selection of wallpapers on the Windows 10 and Windows 11 lock screens, but it can now be enabled on the Windows 11 desktop as well. 

To enable Windows Spotlight wallpapers, users need to open the Settings app and go to Personalization > Background > Personalize your background, and then choose Windows spotlight. The feature will also add a desktop shortcut allowing users to learn more details about the current image and switch to another one. 

Windows Spotlight is now available as an option with the June 2022 Patch Tuesday updates

If you have set up a Microsoft Family to manage how your kids can use their devices, this update also improves the Family Safety verification experience when kids send a request for additional screen time. This month’s Patch Tuesday update also fixes an issue causing file copying to be slower than usual. 

60 vulnerabilities were fixed in the June 2022 Patch Tuesday updates

You can find the list of 60 CVEs included in the June 2022 Patch Tuesday updates below (via the Zero Day Initiative). We’ve already detailed the three critical vulnerabilities, but there are also 51 CVEs rated as important. 

CVE-2022-30163Remote Code ExecutionCritical
CVE-2022-30139Remote Code ExecutionCritical
CVE-2022-30136Remote Code ExecutionCritical
CVE-2022-30184Information DisclosureImportant
CVE-2022-30167Remote Code ExecutionImportant
CVE-2022-30193Remote Code ExecutionImportant
CVE-2022-29149Elevation of PrivilegeImportant
CVE-2022-30180Information DisclosureImportant
CVE-2022-30177Remote Code ExecutionImportant
CVE-2022-30178Remote Code ExecutionImportant
CVE-2022-30179Remote Code ExecutionImportant
CVE-2022-30137Elevation of PrivilegeImportant
CVE-2022-22018Remote Code ExecutionImportant
CVE-2022-29111Remote Code ExecutionImportant
CVE-2022-29119Remote Code ExecutionImportant
CVE-2022-30188Remote Code ExecutionImportant
CVE-2022-21123Information DisclosureImportant
CVE-2022-21125Information DisclosureImportant
CVE-2022-21127Information DisclosureImportant
CVE-2022-21166Information DisclosureImportant
CVE-2022-30164Security Feature BypassImportant
CVE-2022-30166Elevation of PrivilegeImportant
CVE-2022-30173Remote Code ExecutionImportant
CVE-2022-30154Elevation of PrivilegeImportant
CVE-2022-30159Information DisclosureImportant
CVE-2022-30171Information DisclosureImportant
CVE-2022-30172Information DisclosureImportant
CVE-2022-30174Remote Code ExecutionImportant
CVE-2022-30168Remote Code ExecutionImportant
CVE-2022-30157Remote Code ExecutionImportant
CVE-2022-30158Remote Code ExecutionImportant
CVE-2022-29143Remote Code ExecutionImportant
CVE-2022-30160Elevation of PrivilegeImportant
CVE-2022-30151Elevation of PrivilegeImportant
CVE-2022-30131Elevation of PrivilegeImportant
CVE-2022-30132Elevation of PrivilegeImportant
CVE-2022-30150Elevation of PrivilegeImportant
CVE-2022-30148Information DisclosureImportant
CVE-2022-30145Remote Code ExecutionImportant
CVE-2022-30142Remote Code ExecutionImportant
CVE-2022-30147Elevation of PrivilegeImportant
CVE-2022-30140Remote Code ExecutionImportant
CVE-2022-30165Elevation of PrivilegeImportant
CVE-2022-30155Denial of ServiceImportant
CVE-2022-30162Information DisclosureImportant
CVE-2022-30141Remote Code ExecutionImportant
CVE-2022-30143Remote Code ExecutionImportant
CVE-2022-30146Remote Code ExecutionImportant
CVE-2022-30149Remote Code ExecutionImportant
CVE-2022-30153Remote Code ExecutionImportant
CVE-2022-30161Remote Code ExecutionImportant
CVE-2022-30135Elevation of PrivilegeImportant
CVE-2022-30152Denial of ServiceImportant
CVE-2022-32230Denial of ServiceImportant
CVE-2022-22021Remote Code ExecutionModerate
CVE-2022-2007Remote Code ExecutionHigh
CVE-2022-2008Remote Code ExecutionHigh
CVE-2022-2010Remote Code ExecutionHigh

Internet Explorer 11 reaches and of support today

As you may already know, Internet Explorer also reaches end of support today, June 15, 2022. If Internet Explorer isn’t available on Windows 11, this announcement will affect all currently supported versions of Windows 10 Home, Pro, Enterprise, Education, and IoT. 

The legacy web browser won’t be immediately removed on all these versions of Windows today, but users will be progressively redirected to Microsoft Edge. Microsoft invites organizations to start using IE mode in Microsoft Edge, which will be supported through at least 2029. 

Microsoft will actually continue to support Internet Explorer 11 on Windows 10 LTSC releases (including IoT), all Windows Server versions, as well as Windows 10 China Government Edition, Windows 8.1, and Windows 7 with Extended Security Updates (ESUs). Still, Microsoft recommends using IE mode in Microsoft Edge, which will allow web developers to continue testing their sites for years to come.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.

If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.