There’s been lots of excitement around the recently announced print spooler vulnerability CVE-2021-34527, commonly referred to as PrintNightmare. The excitement stems from the fact that this vulnerability has a CVSS score of 8.8, is present in ALL Windows operating systems, has been publicly disclosed with known exploits, and allows an attacker to easily execute remote code with system privileges.
This vulnerability comes from functionality that allows users to install printer drivers on their systems. The good news is that Microsoft quickly released out-of-band security updates this week for most operating systems. Updates are available for Windows 7 and Server 2008/2008 R2 if you have an Extended Security Update (ESU) subscription.
They also provided a support article on how the updates work and some additional configuration options. The bad news is that you need to disable the print spooler or disable inbound remote printing on systems that you can’t update. If you disable the print spooler you won’t be able to print at all; if you disable the inbound printing you will only be able to print on directly attached devices.
Microsoft provides instructions for both workaround options with the vulnerability article referenced above. Note that this vulnerability is new and not associated with the print spooler fix for CVE-2021-1675 which was released last month.
The trend of high-profile ransomware attacks continued this month with the announcement of malware in Kaseya’s VSA product. Like the Solarwinds security incident earlier this year Kaseya suffered a supply chain attack, meaning that malware was introduced into the VSA product via a vulnerability and was distributed to their customers during a normal software update. The distributed ransomware is suspected to be the work of REvil (Ransomware Evil) who have demanded $70M in Bitcoin ransom to unlock the files of all the impacted customers.
This is just another example that software companies must adopt strong software development lifecycle (SDLC) practices and remain vigilant in testing and securing their product; likewise, all companies should have some form of endpoint defense against ransomware. Defending against modern ransomware requires multiple technologies working together.
Adopting a strategy like Zero Trust provides organizations with a roadmap to mature how they are securing their data. A staple in any security framework would be to keep known vulnerabilities minimized with an aggressive software update/patch management program.
Microsoft addressed a much smaller set of vulnerabilities across all operating systems the last two Patch Tuesdays. For example, there were only 26 CVEs addressed in the Windows 10 updates each month. We’ll see if that trend continues this month. Windows 10 21H1, released on May 18 now bundles the servicing stack updates (SSU) and the latest cumulative updates (LCU) into a single package. They’ve mentioned in several articles they may combine the SSUs with other LCUs, possibly going as far back as Server 2016. We’ll need to keep an eye out for that as well.
And finally, Windows 11 was officially announced on June 24th. We’ll find out more about this new operating system in upcoming months with a scheduled release around the holiday season, but one comment of interest was “Windows 11 will be updated annually with 24 months of support for Home or Pro editions, and 36 months of support for Enterprise and Education editions”. Just as we dropped three of the Windows 10 versions in May, we’ll soon be adding an entirely new operating system in Windows 11.
July 2021 Patch Tuesday forecast
- The summer vacation months are upon us, so I predict the number of CVEs addressed this month will remain low. In addition to the regular supported operating systems, the Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 will be released as usual. Internet Explorer updates should show up again this month as it appears to be getting more attention by Microsoft of late.
- We haven’t seen a SQL server or .NET framework set of updates for several months, so be on the lookout for them.
- Adobe released APSB2151 prenotification for Acrobat and Reader so be prepared for that release on Patch Tuesday.
- Apple released their last major security updates back in May, so we could see a few new updates next week from Apple.
- Google released a stable channel update for Chrome to 91.0.4472.147 on June 30th so don’t expect a security release next week.
- Mozilla is due for Firefox and Thunderbird security updates and I think they will surface next week.
Carefully consider starting your patch cycle early this month and apply the latest Microsoft updates to protect your systems from the PrintNightmare vulnerability exploitation. Expect another small set of vulnerabilities addressed this month by Microsoft but pay special attention if we have some zero-days in the list. In addition to the vendors I mentioned, don’t forget that Oracle will have their quarterly Critical Patch Updates release on July 20.