August sees Microsoft release the smallest number of security fixes for its products so far this year. In fact, it’s the smallest batch since December 2019. In addition to new bug fixes for the Windows Print Spooler service and NTLM, there are also changes in the default Point and Print driver installation behavior.
Recurring PrintNightmare?
Following on from PrintNightmare in July, Microsoft issued a patch for a remote code execution vulnerability in the Windows Print Spooler. According to Trend Micro’s Dustin Childs, who works on the Zero Day Initiative, it isn’t clear whether this bug is a variant of PrintNightmare or a unique vulnerability that can be exploited in its own right.
“There are quite a few print spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug.”
Microsoft says that this month’s patch should address all publicly known security issues with the Windows Print Spooler service.
New Point and Print default driver installation behavior
Furthermore, Microsoft released a change in this month’s quality update for Windows that will require users to have administrative privileges to install print drivers, altering the default Point and Print driver installation behavior.
Microsoft says that non-administrative users can no longer install new printers using drivers on remote servers or update existing print drivers from remote servers without elevating to administrator privileges. This change doesn’t affect organizations that aren’t using Point and Print.
Organizations can change the new default behavior so that Point and Print users aren’t required to have admin privileges, but this isn’t recommended by Microsoft. You can find more details on Microsoft’s website here.
Microsoft recommends using one of the following methods to allow users to install print drivers using Point and Print with the new default driver installation setting in place:
- Provide an administrator username and password when prompted for credentials when attempting to install a printer driver.
- Include the necessary printer drivers in the OS image.
- Use Microsoft System Center, Microsoft Endpoint Configuration Manager, or an equivalent tool to remotely install printer drivers.
- Temporarily set the RestrictDriverInstallationToAdministrators registry value to 0 to install printer drivers.
Organizations that cannot use the new Point and Print default driver installation setting should use Group Policy to restrict drivers to install from trusted Point and Print servers and/or trusted Package Point and Print servers. But neither of these mitigations, used separately or together, provide the same protection as sticking to the new default Point and Print driver installation behavior.
For a full breakdown of the changes to Point and Print in this month’s update, check out Microsoft’s website here.
More protection against PetitPotam NTLM relay attack
Microsoft released a fix for CVE-2021-36942, a Windows LSA spoofing vulnerability. The fix blocks the LSARPC interface, potentially impacting organizations still running Windows Server 2008 SP2 that use the Encrypted File System (EFS).
You should apply the fix to domain controllers first and then follow the instructions in KB5005413 to mitigate attacks on servers with the Active Directory Certificate Services (AD CS) Certificate Authority Web Enrollment and Certificate Enrollment Web Service installed.
Windows Update gets patched
Microsoft discovered and patched a zero-day elevation of privilege flaw in the Windows Update Medic Service. Update Medic repairs broken Windows Update components so that a Windows 10 device can continue to receive patches.
The bug could let an attacker, who is logged in to an affected device, run malicious code to escalate privileges. Microsoft hasn’t revealed how widespread the attacks are, so you should consider patching your systems as the technique becomes more prevalent.
Remote Desktop Client vulnerability
CVE-2021-34535 is a bug in the RDP client, which if exploited, could let an attacker take over a system if they persuade a user to connect to a malicious RDP server. Dustin Childs says:
“On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.”
TCP/IP network stack critical bug
And finally this month, Microsoft patched a critical bug in the Windows TCP/IP component. Microsoft isn’t aware of exploits in the wild, but the bug is likely to be exploited quickly, so you should consider patching your systems as soon as possible.
And on that note, it’s worth remembering that there are also patches for the Microsoft Office desktop apps and Adobe apps this month. But before you update your systems, make sure that you have a working and tested backup that can use to restore devices and servers should any of the updates cause a problem.