July is another bumper month for Microsoft as they ship fixes for 117 security vulnerabilities, 13 of them rated as critical and at least 4 are currently under active attack by cyber criminals.
The actively exploited vulnerabilities patched this month are:
CVE-2021-34527 – Windows Print Spooler RCE Vulnerability – aka PrintNightmare
It’s third time lucky for Microsoft as they address this vulnerability again while trying to wrangle legacy code onto a modern security footing. Even so, according to Microsoft, it is possible to configure the patched spooler in such a way that it: ‘makes your system vulnerable by design’
The remote code execution vulnerability is due to the Print Spooler’s ability to automatically install printer drivers when a user tries to connect to a printer where a suitable driver is not already installed. However, the Windows Print Spooler can be easily tricked to install any DLL, from any accessible (remote) server and it installs that DLL with SYSTEM privilege.
The security patch changes this behaviour by requiring Admin credentials to grant permission for unsigned printer drivers to be installed on a printer server which is hoped will prevent users from being tricked into installing malicious printer drivers.
In order for the protections to be active, Microsoft warns:
In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your
Group Policy setting are correct (see FAQ):
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.
CVE-2021-34448 – Scripting Engine Memory Corruption Vulnerability
This is a flaw the scripting engine that is part of every supported version of Windows Server and Desktop editions. It enables an attacker to remotely execute code on the target system and has been observed exploited in the wild.
Both these flaws are being targeted by criminals for exploitation – being used as part of an attack chain. Once access has been obtained to an ordinary user account, attackers can use these vulnerabilities to grant themselves Admin rights which means they can install software and move around the network.