Microsoft’s August security patch bundle fixes 44 vulnerabilities – Redmondmag.com
Microsoft’s August security patch bundle fixes 44 vulnerabilities
Microsoft released August security updates on Tuesday to address 44 common vulnerabilities and exposures (CVEs) in various Microsoft software products.
The August patch tally includes seven vulnerabilities rated “critical” by security researchers. The rest of the vulnerabilities have been labeled “Important”. Microsoft summarizes affected products and “known issues” with fixes in its August “Release Notes” document. The fixes are large and cataloged, with standard descriptions, in Microsoft’s August “Security Update Guide”.
The number of patches this month is relatively low. Trend Micro security researcher Dustin Childs attributed the smallest patch package this month to Microsoft’s time spent patching “PrintNightmare and PetitPotam” vulnerabilities in July, according to this Zero Day Initiative post.
Two vulnerabilities (CVE-2021-36936 and CVE-2021-36942) were described as public knowledge prior to the release of Microsoft’s August patch. A vulnerability (CVE-2021-36948) was reportedly exploited before the Microsoft patch was released in August. Known and exploited vulnerabilities are special circumstances to note.
The exploited (‘Zero Day’)
The only exploited vulnerability (CVE-2021-36948) is just rated “Important” by security researchers, with a Common Vulnerability Scoring System (CVSS) rating of 7.8 out of 10. It is a vulnerability of elevation of privilege in the Windows Update Medic service. , a new service in Windows 10 and Windows Server 2019 clients.
The Windows Update Medic service is used to repair damaged Windows Update components. However, it’s easily exploited, according to Jay Goodman, director of product marketing for security solutions company Automox, in the Automox commentary posted “Patch Tuesday”:
The feat [of CVE-2021-36948] is both uncomplicated and can be exploited without user interaction, making it an easy vulnerability to include in an adversary’s toolkit. To make matters worse, remote code execution vulnerabilities are particularly problematic because they allow attackers to execute malicious code on exploited systems.
Microsoft discovered the zero-day vulnerability in the Windows Update Medic service, according to Satnam Narang, a research engineer at security solutions company Tenable, via email.
“It [CVE-2021-36948] was reported internally by Microsoft’s security research teams and is the only vulnerability patched this month that has been exploited in the wild as day zero, ”Narang said.
Of the two publicly known vulnerabilities, one is a Windows LSA spoofing vulnerability (CVE-2021-36942) which is simply considered important by security researchers, yet has a CVSS rating of 9. , 8. Childs described this patch as “additional protection against NTLM relay attacks” associated with the PetitPotam attack.
The PetitPotam NTLM relay attack scenario appeared in a Microsoft security advisory ADV210003 in late July. Microsoft described the messy mitigation steps to take in Knowledge Base article KB5005413. Potentially affected organizations are those that have “servers on which Active Directory Certificate Services (AD CS) is not configured with protections against NTLM relay attacks,” the Knowledge Base article explains.
Childs recommended that you apply the August CVE-2021-36942 patch and follow Microsoft’s advice in its July advisory and KB article:
You must first apply it to your domain controllers and follow the additional instructions in ADV210003 and KB5005413. This has been a recurring problem since 2009, and it’s probably not the last we’ll hear about this persistent issue.
The other publicly known vulnerability, CVE-2021-36936, is in the Windows print spooler, potentially allowing remote code execution (RCE) attacks. It is rated Critical (CVSS 8.8) and is another patch for the Windows Print Spooler, which received patches in July for the so-called “PrintNightmare” vulnerabilities.
Narang noted that there are several Windows print spooler fixes in Microsoft’s August security patch bundle:
Two of the three print spooler vulnerabilities patched this month, CVE-2021-36947 and CVE-2021-36936, are classified as “Exploitation more likely,” according to Microsoft’s exploitability index. CVE-2021-36936 is also identified as being for public disclosure, implying that this is one of the additional vulnerabilities discovered by researchers since PrintNightmare was first disclosed. Due to the ubiquitous nature of the Windows print spooler within networks, organizations should prioritize fixing these flaws as soon as possible.
Point and print behavior change
Point and Print is an older Windows component that allows users to configure printers without having to download printer and configuration files. However, it failed to put the required security protections in place, Microsoft admitted in a Microsoft Security Response Center announcement on Tuesday.
To resolve PrintNightmare, Microsoft has changed the way Windows Point and Print works. With the August fixes in place, only administrators will be able to install printers or print drivers.
A seemingly unnamed August update will make this change, the announcement explains:
Installing this update with the default settings will mitigate publicly documented vulnerabilities in the Windows Print Spooler service. This change will take effect with the installation of security updates released on August 10, 2021 for all supported versions of Windows, and is documented as CVE-2021-34481.
CVE-2021-34481 is actually a July patch, according to Childs.
If organizations want to change this change to the default functionality of Point and Print (not recommended by Microsoft), Microsoft has KB5005652 available. It describes some registry changes that could be made.
Notable critical fixes
Security researchers report this month a Critical Remote Desktop Client RCE vulnerability (CVE-2021-34535), which has a CVSS score of 9.9.
Childs noted that the CVE-2021-34535 vulnerability occurs in the client, not in the server. For exploitation to occur, victims would have to be lured to a server controlled by an attacker or be exposed to malware in a guest VM, he explained:
An attacker can take control of a system if he manages to convince an affected RDP client to connect to an RDP server that he controls. On Hyper-V servers, malware running in a guest VM could trigger a guest-host RCE by exploiting this vulnerability in the Hyper-V viewer.
Other critical vulnerabilities receiving fixes this month include:
This last element, full of abbreviations, was explained by Aleks Haugom, Product Marketing Manager at Automox:
CVE-2021-26432 is a critical remote code execution vulnerability with too many acronyms. To break it down; Network File System (NFS), Open Network Computing Remote Procedure Call (ONCRPC), External Data Representation (XCR). Acronyms aside, this vulnerability is more likely to be exploited due to its low complexity status and the fact that it does not require privileges or user interaction.
CVE-2021-26432 can be exploited for denial of service attacks and file corruption. Details describing the vulnerability are lacking, but Haugom recommended fixing it “as soon as possible”.
Kurt Mackie is Senior News Producer for 1105 Media’s Converge360 Group.