Microsoft Patch Tuesday Puts Spotlight on Windows Print Spooler

Microsoft today released three more patches for vulnerabilities in Windows Print Spooler and changed its default Point and Print driver installation and update behavior to require administrator privileges.

Today's Patch Tuesday fixes three bugs in the Windows Print Spooler, adding to the number of flaws already patched so far this year. Microsoft last month issued a new vulnerability identifier (CVE-2021-34527) for the "PrintNightmare" flaw affecting Windows Print Spooler services and claimed this bug was different from another critical flaw (CVE-2021-1675) patched in June.

Two Print Spooler vulnerabilities patched today are remote code execution (RCE) flaws: CVE-2021-36936, which is listed as publicly known and classified as Critical, and CVE-2021-369467, classified as Important. Both are ranked as "Exploitation More Likely" by Microsoft and require low complexity and privileges to exploit. The third, CVE-2021-34483, is an elevation of privilege bug that is ranked "Exploitation Less Likely" but requires low complexity and privileges.

In addition to releasing the above fixes for Windows Print Spooler vulnerabilities, Microsoft is changing the default Point and Print driver installation and update behavior to require admin privileges. The change is an update to CVE-2021-34481, originally released last month.

"Our investigation into several vulnerabilities collectively referred to as 'PrintNightmare' has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks," the Microsoft Security and Response Center (MSRC) writes in a blog post.

The installation of this update with default settings will mitigate the publicly disclosed flaws in Print Spooler, MSRC says. The change my affect print clients in situations where non-elevated users could previously add or update printers. The mitigation can be disabled with a registry key, as officials note in a separate KB article about the change, but this is not recommended. Microsoft notes disabling the mitigation will expose the environment to Print Spooler flaws.

Zero-Day

Overall, there was a total of 44 security fixes in Microsoft's August Patch Tuesday rollout, which include one zero-day, two publicly known flaws, and seven vulnerabilities rated Critical.

The bugs patched today affect Microsoft Windows and Windows Components, Office, Windows Defender, .NET Core and Visual Studio, Azure, Microsoft Dynamics, and Windows Update and Update Assistant. It's an unusually small rollout from Microsoft – which consistently deployed Patch Tuesday releases of 100+ fixes throughout 2020 into 2021 – and its smallest yet this year.

Today's rollout includes one bug under attack: CVE-2021-36948, an elevation of privilege flaw in the Windows Update Medic Service. This is a new service introduced in Windows 10 to repair Windows Update components so a machine can still receive updates when parts are damaged.

An attacker could exploit the vulnerability by accessing a target system locally or remotely; they could also rely on user interaction and trick a legitimate user into exploiting the flaw. The zero-day is classified as Important with a CVSS score of 7.8; it requires low attack complexity and low privileges to exploit. It was reported by Microsoft; details on active attacks were not disclosed.

"Interestingly, there was a similar vulnerability in the same service, CVE-2020-17070, announced in November 2020," notes Allan Liska, senior security architect with Recorded Future, in an email to Dark Reading. "Recorded Future was not able to find any evidence of it being exploited in the wild, so this may be a new area of focus for attackers."

Organizations should also prioritize CVE-2021-34535, a remote code execution vulnerability in the Remote Desktop Client with a CVSS score of 9.9. It's worth noting this flaw affects the RDP client, and not the RDP server, but it is rated "Exploitation More Likely" by Microsoft.

With a Remote Desktop connection, an attacker controlling a Remote Desktop Server could trigger RCE on a target machine if a victim connects to the attacker's server with a vulnerable Remote Desktop Client, Microsoft says. In the case of Hyper-V, a malicious program running in a guest virtual machine could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V viewer if a victim running on the host connects to the Hyper-V guest.

"This is the more likely scenario and the reason you should test and deploy this patch quickly," writes Dustin Childs of Trend Micro's Zero-Day Initiative in a Patch Tuesday blog post.

Another CVE worth noting this month is CVE-2021-34480, a Critical scripting engine memory corruption vulnerability. While it has a lower CVSS score of 6.8, it is assessed as "Exploitation More Likely" by Microsoft. An attacker would have to convince a victim to open a specially crafted file in order to exploit the flaw, so it does require some user interaction to exploit.