Administrators still facing the aftermath of the PrintNightmare bug will have to grapple with one of the larger Patch Tuesday releases this year.
For the July Patch Tuesday, Microsoft released security updates for 116 unique CVEs, including three Windows Zero-Days and five Public Disclosures, to revert to the three-digit versions that were more common in 2020. Despite the significant number of vulnerabilities, administrators can Apply the Cumulative Update to Windows Systems to remove the most serious threats with little effort.
“The good news is that all three zero days and three out of five public disclosures are all in the operating system,” said Chris Goettl, senior director of product management for security products at Ivanti. “If administrators deal with the July OS update, they will address all of these bugs in a single update this month.”
Microsoft stuffs three Windows zero days
Two of the three zero days for July Patch Tuesday are elevation of privilege security vulnerabilities. Attackers who are currently gaining a foothold in the environment typically use these errors to trigger an exploit in order to gain full system access.
CVE-2021-31979 is an elevation of privilege bug in the Windows kernel. The vulnerability is classified as important and affects all supported Windows desktop and client systems. This error also affects Windows Server 2008 / R2 and Windows 7 systems that have left extended support. However, Microsoft continues to correct security issues for these systems for customers who have subscribed to the Extended Security Update program.
CVE-2021-33771 is also a classified high-level vulnerability related to Elevation of Privilege in the Windows Kernel. It differs from the other CVE in that it only affects desktop systems from Windows 8.1 and higher versions and server systems from Windows Server 2012 and higher versions.
After a successful phishing attempt to gain access to a user’s device, a seasoned threat actor could use one of these extension bugs in their attack chain to complete the takeover, Göttl said.
The third Windows zero-day is a scripting engine vulnerability (CVE-2021-34448) that is classified as critical for all supported Windows systems. Users can trigger the exploit by clicking on malicious content hosted on a website or clicking a link in an email and then opening a specially crafted file.
“There are regular phishing attacks and then there are well-thought-out phishing attacks. 97% of users cannot identify a well-made phishing attack,” said Göttl.
Delivered fixes for public releases
Two of the publications address issues with the Active Directory platform that handles user authentication and other resource access functions.
CVE-2021-33779 is a vulnerability related to the bypass of the Active Directory Federation Services security feature, which is considered important for Windows Server 2016 and later versions. The patch strengthens the encryption of the primary refresh tokens used for single sign-on with Azure Active Directory accounts.
CVE-2021-33781 is a bypassing Active Directory security feature identified as important for Windows 10 and Windows 2019 and later versions. According to Microsoft, the update adds several security-related fixes and improvements, including revisions to the functionality behind checking user names and passwords.
The third publicly reported bug, CVE-2021-34492, is an important Windows certificate spoofing vulnerability that affects Windows 7 and higher for desktop systems and Windows Server 2008 and higher for servers.
“Pretending to the operating system that the certificate you are signing with is valid when it is not, so that you can bypass many security functions, is quite worrying,” said Göttl.
Fixed several security vulnerabilities for Exchange Server
After a brief respite last month, Microsoft’s on-premises messaging platform, Exchange Server, returned to the spotlight with fixes for seven security vulnerabilities. However, Microsoft’s notes suggest the company patched three of the bugs in April but didn’t add them to the Security Update Guide until this month. These errors are:
- CVE-2021-33766 – An information disclosure vulnerability that is considered important for supported versions of Exchange Server.
- CVE-2021-34523 – an Elevation of Privilege vulnerability classified as important for supported versions of Exchange Server. Information about this bug has been made public.
- CVE-2021-34473 – a remote code execution vulnerability that is classified as critical in supported versions of Exchange. Information about this bug has been made public.
“This is an informational change only,” the company wrote in its release notes for the three CVEs. “Customers who have already installed the April 2021 update do not need to take any further action.”
The following CVEs are new to Exchange Server in April Patch Tuesday:
- CVE-2021-31206 is a remote code execution vulnerability that is classified as important for supported versions of Exchange Server. This bug appeared at the annual Pwn2Own competition in April. Göttl recommended that administrators prioritize this security update due to the visibility of the exploit at the hacking event, which could have drawn the attention of the threat actors.
- CVE-2021-31196 is a remote code execution vulnerability that is considered important for supported versions of Exchange.
- CVE-2021-33768 is a classified critical issue about Elevation of Privilege. Microsoft’s notes indicate that the attack vector is neighboring, which means that an exploit cannot come directly from the Internet, but from a protocol tied to the target system such as Bluetooth or “secure VPN to an administrative network zone”.
- CVE-2021-34470 is a classified Elevation Authority bug with the same attack vector as CVE-2021-33768. Microsoft said that administrators managing Exchange Server 2016 or Exchange Server 2019 will see downloads for these versions in the June Cumulative Update due to a schema change.
Issued several Windows DNS server fixes
Administrators should also focus on providing patches to all Domain Name System (DNS) servers in their environments immediately.
Microsoft has released fixes for 13 CVEs related to this important server role. Of all the vulnerabilities, CVE-2021-33780 has one of the highest CVSS scores at 8.8, with a rating of “More Likely to Exploit”. While the bug is classified as critical only, it does not require user interaction and affects all supported Windows Server versions.
Many admins cannot wake up from PrintNightmare or
Microsoft’s security team published two blog posts to clarify the issue of PrintNightmare, the vulnerability for which the company released out-of-band updates on July 6th and July 7th.
PrintNightmare is the name of CVE-2021-34527, a remote code execution vulnerability in the Windows print spooler that affects all supported server and desktop systems, including Windows 7 and Windows Server 2008. The initial confusion came from IT professionals who merged this vulnerability . with another bug in the print spooler, CVE-2021-1675, which was fixed on June Patch Tuesday. Microsoft has published eight revisions of the PrintNightmare CVE and created a detailed FAQ section to clear up any misunderstandings.
“The security updates released on and after July 6, 2021 contain protections for a remote code execution exploit in the Windows print spooler service known as ‘PrintNightmare’ and documented in CVE-2021-34527 and CVE-2021 -1675. “Wrote the company.
Microsoft said applying the patch alone will not alleviate the problem. Administrators must also make the following additions to the Windows registry:
- HKEY_LOCAL_MACHINE SOFTWARE Policies Microsoft Windows NT Printers PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
In addition to the registry fix, the company offered two options: disable the print spooler service or disable incoming remote printing via group policy. Any workaround will disable printing on the system.