Recently Browsing 0 members
No registered users viewing this page.
By Abhay V
Windows 7 and 8.1 Patch Tuesday updates are live, here's the complete changelog
by Abhay Venkatesh
Just like clockwork, Microsoft is today releasing cumulative updates to all supported Windows versions as part of its Patch Tuesday updates. These include Windows 10 versions that are fully supported – such as the three latest versions, and other SKUs that are supported for certain types of customers, along with Windows 8.1 and users that have opted for Windows 7 Extended Security Updates (ESUs).
While Windows 8.1 and 7 usually receive a single update a month, the firm released emergency updates for the PrintNightmare vulnerability earlier this month, which will also be bundled into these packages.
As is always the case with updates for Windows 8.1 and Windows 7, there are two types of updates. They are monthly rollup packages and security-only updates. While monthly rollups are automatically served through Windows Updates, security-only updates can be manually acquired from the Update Catalog and installed on systems.
For Windows 8.1 and the corresponding Windows Server release, the update is KB5004298, which can also be downloaded from the Update Catalog here. The improvements and fixes made in this update are as follows:
The security-only update for Windows 8.1 is served by KB5004285, which can be downloaded manually from here. The changelog is similar to that of the monthly rollup, bringing fixes for CVE-2021-33757 and removing the PerformTicketSignature setting. It also contains the single known issue found in the rollup.
The firm has listed one known issue that is common across both updates, which has been present for a long time. It is not clear when the renaming issue will be fixed. Here is the explanation of that issue provided by the company:
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Do one of the following:
Perform the operation from a process that has administrator privilege. Perform the operation from a node that doesn’t have CSV ownership. Microsoft is working on a resolution and will provide an update in an upcoming release.
Windows 7 and Windows Server 2008 R2 SP1 users that have opted for ESUs will receive monthly rollup via KB5004289 that can be found for manual download here. The security-only update is KB5004307 which can be manually downloaded from here. The changelogs for both the monthly rollup and security-only update are identical to that of Windows 8.1, which is listed above.
The updates for Windows 7, however, have an additional known issue that might cause the update to fail. The rename bug in Cluster Shared Volume (CSV) folders affects this OS as well. Here is the changelog that details the additional issue:
After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.
This is expected in the following circumstances:
If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181. If you do not have an ESU MAK add-on key installed and activated. If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the "How to get this update" section of this article.
As usual, the monthly rollups will be served through Windows Update for supported devices. The security-only updates are to be manually pulled from the Update Catalog links.
Microsoft Weekly: Continued print nightmares, Windows 11 updates, and test builds
by Florin Bodnarescu
Yet another week has gone by, and as a consequence, another recap is in order. On this occasion, we’ll be covering the ongoing mitigations for the PrintNightmare flaw, additional Windows 11 news, and some Insider builds. You can find all the details about that, and more below, in your Microsoft digest for the week of July 4 – 10.
Continued print nightmares
If you checked for updates this week, you might’ve seen that Microsoft has pushed out a set of mandatory patches for the most recent versions of Windows 10 going back to 1809, as well as supported instances of Windows 7, 8.1, Server 2008, 2012, and others. This is to provide a fix for the RCE-allowing PrintNightmare flaw in the Print Spooler service.
According to some security researchers however, the fix above can be bypassed, though as per Microsoft itself, the bypass can only happen when folks are using modified registry values. The firm says that by default, the configuration of the registry entries in question is secure.
As part of the mitigation process, the functionality of Zebra printers has been broken, though the Redmond giant is working on a fix. We could be seeing yet another set of patches quite soon.
Windows 11 updates
Ever since the unveiling of Windows 11, a number of questions have remained, if not unanswered, at least not answered completely. One such question, concerning hardware support for TPM 2.0, was clarified a tad by OEMs this week.
Asus, Gigabyte, MSI, and others have published a list of hardware that’s set to be compatible with Windows 11 at launch. This hardware includes – covering both standalone components and those part of pre-built systems – AMD’s TRX40 and 300 motherboards, as well as Intel’s X299, C621, C232, C236 platforms, among others.
It’s important to stress that Microsoft is still testing the waters with support for 1st gen Ryzen and 7th gen Core chips, meaning that the currently published list isn’t the be all end all of supported hardware.
Speaking of support, even though the Redmond giant hasn’t come out to specifically state this, some of its OEMs have published FAQ pages outlining the fact that Windows 8 and 7 users will be able to upgrade to Windows 11. That said, in the case of the latter, it seems as if a clean install is required.
For folks trying out the test version of Windows 11, there’s a new Dev channel build – 22000.65 -, which brings the search box back to the Start menu, as well as including fixes for the PrintNightmare exploit, and a number of other quality of life improvements. Coincidentally or not, the firm has also kicked off its first Windows 11 bug bash.
Last but not least, if you’re running the Canary variant of Edge, you can now enable an “in-progress” visual refresh of the browser that brings it more in line with the design of Microsoft’s next major iteration of Windows. All you have to do is switch on the “Enable Windows 11 Visual Updates” under edge://flags.
In case you’ve signed up to be an Office Insider, you may start seeing the beginning of the rollout for a UI refresh meant to bring the productivity suite closer visually to Windows 11. If you see any updates available, and especially if you get v16.0.14301.20004, you could be presented with the new UI, thought the rollout seems to be staggered at the moment.
In other UI and/or UX news, if you are one of the three people who bought a Surface Duo, and also happened to be a Skype Insider, support for split windows is now available on the dual-screen device. Though this is the consumer version we’re talking about, the timing seems a tad odd, with Microsoft prepped to sunset Skype for Business at the end of this month.
Last but not least, remaining on the subject of EOL and shuttering of solutions, Microsoft has suspended the beta for SQL Server on Windows Containers, instead recommending folks use Linux.
Microsoft is planning some improvements for Visual Studio Code, improvements aimed at Java devs. The DoD has scrapped the $10B JEDI contract awarded to Microsoft, and will now award a revamped variant to the Redmond giant and Amazon instead. The Cloud PC could be announced by Microsoft on July 15. Teams is set to add the option to automatically delete meeting recordings form the cloud. Microsoft will be handing out a $1,500 pandemic bonus to nearly all employees. Logging off
We wrap things up with a look at a small selection of gaming news.
For one, UFC 4, Tropico 6, Farming Simulator 19, The Medium, and others have either already arrived (in the case of the first two) or will be arriving to Xbox Game Pass across console, PC, and Cloud. As is the case with subscriptions, Endless Space 2, Downwell, CrossCode, UFC, and UFC 2 will be leaving the subscription in mid-July.
Last but not least, we should mention that Dark Souls III now supports FPS Boost, bumping the framerate to 60FPS on Xbox Series X|S.
Missed any of the previous columns? Check them all out at this link.
If you’d like to get a daily digest of news from Neowin, we now have a Newsletter you can sign up to either via the ‘Get our newsletter’ widget in the sidebar, or this link.
By Usama Jawad96
Microsoft: Our PrintNightmare patch is effective, you're just using Windows wrong
by Usama Jawad
The PrintNightmare exploit has been a constant headache for IT admins and Microsoft since its discovery last week. Due to the public availability of malicious code, its potential to trigger remote code execution (RCE) quite easily, and the fact that it affects virtually all versions of Windows, Microsoft awarded it a "high" severity score. While an out-of-band (OOB) update was released to fix the issue a couple of days ago, many security researchers are claiming that the patch is ineffective and can be quite easily bypassed. Now, the Redmond tech giant has released a statement emphasizing that the patch works as intended, as long as you are using default registry configurations.
Microsoft has been tracking the PrintNightmare exploit under CVE-2021-34527, and has been actively updating its guidance around the topic. Although numerous security researchers have publicly disclosed proof of triggering RCE and local privilege escalation (LPE) despite applying the patch, Microsoft claims that this is only because people are using modified registry values that result in an insecure configuration. The company says that:
In light of the above findings, Microsoft recommends that IT admins actively apply the patch and then review their registry settings. If they align with what is described in the company's advisory, you're all good. If they don't, you need to ensure that they comply with the official documentation.
It remains to be seen whether this justification is good enough for IT admins and security researchers. As usual, we will let you know as the situation develops.
By Abhay V
Microsoft's patch for PrintNightmare vulnerability can be bypassed completely [Update]
by Abhay Venkatesh
Microsoft began rolling out a mandatory security patch for most supported Windows versions yesterday to fix the PrintNightmare vulnerability – a critical issue present in the Windows Print Spooler service tracked under CVE-2021-34527 that when exploited could allow for both remote code execution (RCE) and local privilege escalation (LPE). While yesterday’s update fixed the RCE exploit, the changelog did not mention any fixes for the LPE component.
Now, security researchers have begun reporting that the patch released yesterday can be bypassed, as it does not fix the problem with the Point and Print policy in Windows – which the firm initially said was not directly related –, which can still be used to perform RCE and LPE. Researchers and experts tweeted proof of concepts (spotted by BleepingComputer) running on fully patched systems, showing off how the patch could be completely bypassed to perform LPE. This was corroborated by another researcher from CERT, Will Dormann.
Considering that the zero-day vulnerability and its possible exploits have been widely shared in the wild, systems that have the Print Spooler service running might be at active risk of being compromised, especially those in enterprise setups that use the functions to remotely install printer drivers and updates. For now, though, the original workarounds of disabling the Print Spooler service or blocking inbound remote printing through Group Policy might be the best option to mitigate potential threats. While the changes do impact printing functionality, it is a faster fix and negates the need for admins to provision ineffective patches for their organization’s systems.
You can follow these steps to disable the Print Spooler service through PowerShell:
Open PowerShell as Administrator Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled Alternatively, you can inbound remote printing through Group Policy via group policy using the following steps:
Open the Group Policy Editor Head to Computer Configuration / Administrative Templates / Printers Disable the “Allow Print Spooler to accept client connections:” policy Currently, there is no word from Microsoft about the researchers’ findings, but it will not be surprising to know that the firm is already working on a patch for addressing the issues. It might help to also keep an eye out for updates on the MSRC page tracking the vulnerability.
Update: Microsoft has updated the MSRC listing noting that it is rolling out patches for Windows Server 2012, Windows Server 2016, and Windows 10, Version 1607. The firm adds that in order to secure the system, users "must confirm that the following registry settings are set to 0 or are not defined".
Interestingly, CERT researcher Dormann claims that the "NoWarningNoElevationOnInstall = 0 does NOT prevent exploitation". The firm is yet to address the reports from other security research firms as well.
By Usama Jawad96
Microsoft provides further mitigations for PrintNightmare exploit, awards it "high" severity
by Usama Jawad
A couple of days ago, we learned of a new exploit called "PrintNightmare" which affects virtually all Windows devices. It makes use of the Windows Print Spooler service's unprotected functions to trigger remote code execution (RCE). The United States Cybersecurity and Infrastructure Security Agency (CISA) highlighted it as a critical vulnerability, with Microsoft actively investigating a fix. Now, the Redmond tech giant has provided more information on the matter.
PrintNightmare - which is being tracked under CVE-2021-34527 - has now been awarded a Common Vulnerability Scoring System (CVSS) base rating of 8.8. It is important to note that the CVSS v3.0 specification documentation defines this as a "high" severity vulnerability but it is dangerously close to the "critical" range which starts from 9.0. The base score can be a maximum of 10.0. Similarly, it currently has a temporal score of 8.2. The temporal score measures the current exploitability of a vulnerability based on a number of factors.
It is important to note that a similar vulnerability was fixed in June's Patch Tuesday update, but it had a CVSS base score of 7.8.
The base score is 8.8 because Microsoft has identified that the attack vector is at a network-level, requires low attack complexity and privileges, does not involve user interaction, and can result in a "total loss" of confidentiality, integrity, and availability of an organizations resources. Meanwhile, the temporal score is 8.2 because functional exploit code is readily available on the internet and works across all versions of Windows, detailed reports about it exist, and some official remediation methods have been suggested.
Talking about mitigation techniques, we already know that Microsoft suggested disabling the Windows Print Spooler service or at least inbound remote printing through Group Policy. It has now also recommended that membership and nested group membership of some entities is checked. The company suggests that the number of members should be kept as low as possible, and should ideally be zero where possible. That said, it has cautioned that removing members from some of these groups may lead to compatibility issues. The groups in question are as follows:
Administrators Domain Controllers Read Only Domain Controllers Enterprise Read Only Domain Controllers Certificate Admins Schema Admins Enterprise Admins Group Policy Admins Power Users System Operators Print Operators Backup Operators RAS Servers Pre-Windows 2000 Compatible Access Network Configuration Operators Group Object Cryptographic Operators Group Object Local account and member of Administrators group Microsoft has emphasized that a fix will be made available as soon as possible, but in the meantime, it has recommended that organizations make use of tooling like Microsoft Defender 365 to monitor potentially malicious activity. Although Print and Point is not directly related to this exploit, the Redmond tech giant has still suggested editing some registry values in order to harden your organization's local security infrastructure, and stated that print servers utilized by clients should be explicitly listed.