Recently Browsing 0 members
No registered users viewing this page.
By Usama Jawad96
Microsoft releases new patch for PrintNightmare, recommends immediate installation
by Usama Jawad
PrintNightmare is a vulnerability that Microsoft began publicly investigating in July. It makes use of the Windows Print Spooler service's unprotected functions to trigger remote code execution (RCE) through which an attacker can execute code under the guise of SYSTEM privileges. The firm awarded it a "high" vulnerability score and provided some mitigations a few weeks ago. A patch was also released but it turned out that it could still be bypassed. That said, the company downplayed the issue, and claimed that it only happens when people use unsupported registry values.
Today, Microsoft has released a new patch, which it says changes the default behavior of Point and Print on Windows since the current implementation does not meet the security needs of its customers. Moving forward, Point and Print driver installations and updates will require administrative privileges. This essentially means that all vulnerabilities related to the Windows Print Spooler service which have been publicly documented so far will be mitigated.
Microsoft has stated that this change will adversely affect non-admin users who were previously able to install and update these drivers. However, the company believes that the benefits far outweigh this inconvenience. The company has cautioned that if IT admins do not install this update or disable this mitigation, they will be prone to PrintNightmare exploits. It is important to remember that PrintNightmare affects virtually all version of Windows, which is why it is essential that this patch is installed as soon as possible. More information can be found in the company's security advisory under CVE-2021-34481 here.
Microsoft Weekly: Continued print nightmares, Windows 11 updates, and test builds
by Florin Bodnarescu
Yet another week has gone by, and as a consequence, another recap is in order. On this occasion, we’ll be covering the ongoing mitigations for the PrintNightmare flaw, additional Windows 11 news, and some Insider builds. You can find all the details about that, and more below, in your Microsoft digest for the week of July 4 – 10.
Continued print nightmares
If you checked for updates this week, you might’ve seen that Microsoft has pushed out a set of mandatory patches for the most recent versions of Windows 10 going back to 1809, as well as supported instances of Windows 7, 8.1, Server 2008, 2012, and others. This is to provide a fix for the RCE-allowing PrintNightmare flaw in the Print Spooler service.
According to some security researchers however, the fix above can be bypassed, though as per Microsoft itself, the bypass can only happen when folks are using modified registry values. The firm says that by default, the configuration of the registry entries in question is secure.
As part of the mitigation process, the functionality of Zebra printers has been broken, though the Redmond giant is working on a fix. We could be seeing yet another set of patches quite soon.
Windows 11 updates
Ever since the unveiling of Windows 11, a number of questions have remained, if not unanswered, at least not answered completely. One such question, concerning hardware support for TPM 2.0, was clarified a tad by OEMs this week.
Asus, Gigabyte, MSI, and others have published a list of hardware that’s set to be compatible with Windows 11 at launch. This hardware includes – covering both standalone components and those part of pre-built systems – AMD’s TRX40 and 300 motherboards, as well as Intel’s X299, C621, C232, C236 platforms, among others.
It’s important to stress that Microsoft is still testing the waters with support for 1st gen Ryzen and 7th gen Core chips, meaning that the currently published list isn’t the be all end all of supported hardware.
Speaking of support, even though the Redmond giant hasn’t come out to specifically state this, some of its OEMs have published FAQ pages outlining the fact that Windows 8 and 7 users will be able to upgrade to Windows 11. That said, in the case of the latter, it seems as if a clean install is required.
For folks trying out the test version of Windows 11, there’s a new Dev channel build – 22000.65 -, which brings the search box back to the Start menu, as well as including fixes for the PrintNightmare exploit, and a number of other quality of life improvements. Coincidentally or not, the firm has also kicked off its first Windows 11 bug bash.
Last but not least, if you’re running the Canary variant of Edge, you can now enable an “in-progress” visual refresh of the browser that brings it more in line with the design of Microsoft’s next major iteration of Windows. All you have to do is switch on the “Enable Windows 11 Visual Updates” under edge://flags.
In case you’ve signed up to be an Office Insider, you may start seeing the beginning of the rollout for a UI refresh meant to bring the productivity suite closer visually to Windows 11. If you see any updates available, and especially if you get v16.0.14301.20004, you could be presented with the new UI, thought the rollout seems to be staggered at the moment.
In other UI and/or UX news, if you are one of the three people who bought a Surface Duo, and also happened to be a Skype Insider, support for split windows is now available on the dual-screen device. Though this is the consumer version we’re talking about, the timing seems a tad odd, with Microsoft prepped to sunset Skype for Business at the end of this month.
Last but not least, remaining on the subject of EOL and shuttering of solutions, Microsoft has suspended the beta for SQL Server on Windows Containers, instead recommending folks use Linux.
Microsoft is planning some improvements for Visual Studio Code, improvements aimed at Java devs. The DoD has scrapped the $10B JEDI contract awarded to Microsoft, and will now award a revamped variant to the Redmond giant and Amazon instead. The Cloud PC could be announced by Microsoft on July 15. Teams is set to add the option to automatically delete meeting recordings form the cloud. Microsoft will be handing out a $1,500 pandemic bonus to nearly all employees. Logging off
We wrap things up with a look at a small selection of gaming news.
For one, UFC 4, Tropico 6, Farming Simulator 19, The Medium, and others have either already arrived (in the case of the first two) or will be arriving to Xbox Game Pass across console, PC, and Cloud. As is the case with subscriptions, Endless Space 2, Downwell, CrossCode, UFC, and UFC 2 will be leaving the subscription in mid-July.
Last but not least, we should mention that Dark Souls III now supports FPS Boost, bumping the framerate to 60FPS on Xbox Series X|S.
Missed any of the previous columns? Check them all out at this link.
If you’d like to get a daily digest of news from Neowin, we now have a Newsletter you can sign up to either via the ‘Get our newsletter’ widget in the sidebar, or this link.
By Usama Jawad96
Microsoft: Our PrintNightmare patch is effective, you're just using Windows wrong
by Usama Jawad
The PrintNightmare exploit has been a constant headache for IT admins and Microsoft since its discovery last week. Due to the public availability of malicious code, its potential to trigger remote code execution (RCE) quite easily, and the fact that it affects virtually all versions of Windows, Microsoft awarded it a "high" severity score. While an out-of-band (OOB) update was released to fix the issue a couple of days ago, many security researchers are claiming that the patch is ineffective and can be quite easily bypassed. Now, the Redmond tech giant has released a statement emphasizing that the patch works as intended, as long as you are using default registry configurations.
Microsoft has been tracking the PrintNightmare exploit under CVE-2021-34527, and has been actively updating its guidance around the topic. Although numerous security researchers have publicly disclosed proof of triggering RCE and local privilege escalation (LPE) despite applying the patch, Microsoft claims that this is only because people are using modified registry values that result in an insecure configuration. The company says that:
In light of the above findings, Microsoft recommends that IT admins actively apply the patch and then review their registry settings. If they align with what is described in the company's advisory, you're all good. If they don't, you need to ensure that they comply with the official documentation.
It remains to be seen whether this justification is good enough for IT admins and security researchers. As usual, we will let you know as the situation develops.
By Usama Jawad96
Microsoft provides further mitigations for PrintNightmare exploit, awards it "high" severity
by Usama Jawad
A couple of days ago, we learned of a new exploit called "PrintNightmare" which affects virtually all Windows devices. It makes use of the Windows Print Spooler service's unprotected functions to trigger remote code execution (RCE). The United States Cybersecurity and Infrastructure Security Agency (CISA) highlighted it as a critical vulnerability, with Microsoft actively investigating a fix. Now, the Redmond tech giant has provided more information on the matter.
PrintNightmare - which is being tracked under CVE-2021-34527 - has now been awarded a Common Vulnerability Scoring System (CVSS) base rating of 8.8. It is important to note that the CVSS v3.0 specification documentation defines this as a "high" severity vulnerability but it is dangerously close to the "critical" range which starts from 9.0. The base score can be a maximum of 10.0. Similarly, it currently has a temporal score of 8.2. The temporal score measures the current exploitability of a vulnerability based on a number of factors.
It is important to note that a similar vulnerability was fixed in June's Patch Tuesday update, but it had a CVSS base score of 7.8.
The base score is 8.8 because Microsoft has identified that the attack vector is at a network-level, requires low attack complexity and privileges, does not involve user interaction, and can result in a "total loss" of confidentiality, integrity, and availability of an organizations resources. Meanwhile, the temporal score is 8.2 because functional exploit code is readily available on the internet and works across all versions of Windows, detailed reports about it exist, and some official remediation methods have been suggested.
Talking about mitigation techniques, we already know that Microsoft suggested disabling the Windows Print Spooler service or at least inbound remote printing through Group Policy. It has now also recommended that membership and nested group membership of some entities is checked. The company suggests that the number of members should be kept as low as possible, and should ideally be zero where possible. That said, it has cautioned that removing members from some of these groups may lead to compatibility issues. The groups in question are as follows:
Administrators Domain Controllers Read Only Domain Controllers Enterprise Read Only Domain Controllers Certificate Admins Schema Admins Enterprise Admins Group Policy Admins Power Users System Operators Print Operators Backup Operators RAS Servers Pre-Windows 2000 Compatible Access Network Configuration Operators Group Object Cryptographic Operators Group Object Local account and member of Administrators group Microsoft has emphasized that a fix will be made available as soon as possible, but in the meantime, it has recommended that organizations make use of tooling like Microsoft Defender 365 to monitor potentially malicious activity. Although Print and Point is not directly related to this exploit, the Redmond tech giant has still suggested editing some registry values in order to harden your organization's local security infrastructure, and stated that print servers utilized by clients should be explicitly listed.
By Usama Jawad96
Microsoft is investigating a critical Windows Print Spooler exploit called PrintNightmare
by Usama Jawad
Microsoft releases a bunch of security updates for its software each month, but sometimes, bugs still slip through the cracks and are publicly reported. This has happened once again as the United States Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a critical Windows Print Spooler vulnerability that Microsoft is actively investigating.
The exploit is known as "PrintNightmare" in cybersecurity spheres and CISA has described it as critical as it can lead to remote code execution (RCE). The CERT Coordination Center is tracking it under VU#383432 and explains that the problem happens because the Windows Print Spooler service does not restrict access to the RpcAddPrinterDriverEx() function, which means that an attacker who has been remotely authenticated can utilize it to run arbitrary code. This arbitrary code execution takes place under the guise of SYSTEM.
For reference, the problematic function in question is typically used to install printer drivers. However, since remote access is unrestricted, this means that a motivated attacker can make it point to a driver on a remote server, making an infected machine execute arbitrary code with SYSTEM privileges.
It is important to note that Microsoft fixed a related issue with CVE-2021-1675 in June's Patch Tuesday update, but the latest development is not covered by the fix. The company says that it is actively investigating the issue and has suggested two workarounds for Domain Admins. The first one is disabling the Windows Print Spooler service, but this means that printing will be disabled both locally and remotely. The second one involves disabling inbound remote printing through Group Policy. This will restrict remote printing but local printing will still work fine.
The vulnerability is being tracked by Microsoft under CVE-2021-34527. The company has explicitly stated that the problematic code in question is present in all versions of Windows but it is still investigating if it is exploitable across all versions as well. That said, since the issue is being actively investigated, Microsoft hasn't awarded it a vulnerability score yet but has marked it as "critical" as well. It is notable that code to trigger the exploit has already been published on the internet by multiple entities in the past couple of days, so it is essential that Domain Admins apply the June Patch Tuesday update to partially protect their organization, and at least disable remote printing via Group Policy as well.