icetray - Fotolia
September Patch Tuesday fixes zero-day, print spooler flaw
The two notable vulnerabilities, disclosed prior to this month's security update releases, receive permanent fixes to supersede earlier mitigation instructions.
A zero-day and a Windows printer spooler vulnerability received permanent fixes on September Patch Tuesday to replace earlier stop-gap efforts.
In total, Microsoft addressed 60 unique CVEs, including one public disclosure, on Tuesday. Three vulnerabilities were rated critical with most of the flaws in the Windows OS. The zero-day (CVE-2021-40444), Windows printer spooler flaw (CVE-2021-36958) and more than 20 bugs in the Chromium-based Microsoft Edge browser were reported after August Patch Tuesday to boost the total CVEs over the last month to 86.
"Between the MSHTML and print spooler vulnerability, there is definitely some urgency to get the OS updates rolled out," said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company.
Microsoft released information about CVE-2021-36958, rated important, on Aug. 11, a day after it pushed out the August Patch Tuesday security updates. On Sept. 7, Microsoft published information on CVE-2021-40444, also rated important, which affects Microsoft MSHTML -- also called Trident, the Windows Internet Explorer layout engine -- with one attack vector coming from Microsoft Office documents that use the browser rendering engine.
In the aftermath of multiple printer-related vulnerabilities over the last few months, enterprises now face a prickly problem, Goettl said.
"Because of the behavioral changes and everything that was implemented because of these printer issues, there are a lot of companies struggling to figure out how their users can install printers," Goettl said. "Many organizations relied on having the permissions to let users install printers without administrative rights or to install printer drivers remotely. This is definitely going to push a number of organizations to find a self-service, printer-driver installation experience."
MSHTML zero-day patched
Microsoft's notes for the zero-day said the default security in Microsoft Office applications, such as Microsoft Word or Excel, should prevent malicious files from causing problems.
"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," the company wrote in the executive summary for the CVE. "The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Goettl said power users often override these built-in security measures to get components in their Excel documents to run properly. He said it wouldn't take too much social engineering to bypass the Office protection behavior and expose the organization to harm.
Prior to the patch release on September Patch Tuesday, Microsoft had issued mitigation instructions that disabled the installation of ActiveX controls through Group Policy and registry keys. So, while September Patch Tuesday delivered a more robust fix for the flaw, the result is more work for the IT staff.
"Once you apply the OS update, then you can go and revert all of those mitigations. There are two or three different steps admins need to take, depending on how extensive they went with their mitigation," Goettl said.
Other security updates of note for September Patch Tuesday
Microsoft also corrected one publicly disclosed vulnerability on September Patch Tuesday. The Windows DNS elevation-of-privilege vulnerability (CVE-2021-36968) is rated important for Windows Server 2008/2008R2 and Windows 7 systems, all of which left extended support in January 2020. Only customers who pay for the Extended Security Update (ESU) program receive the patch for these legacy platforms.
Microsoft does not disclose deployment figures, but Goettl said the number is significant and most likely quite a few organizations rely on these systems but do not subscribe to the ESU program.
"This one could be some low-hanging fruit for threat actors," Goettl said.
The three critical vulnerabilities corrected on September Patch Tuesday include:
- CVE-2021-26435: A Windows Scripting Engine memory corruption vulnerability;
- CVE-2021-36965: A Windows WLAN AutoConfig Service remote-code execution vulnerability; and
- CVE-2021-38647: An Azure Open Management Infrastructure remote-code execution vulnerability with a CVSS score of 9.8.
The Azure Open Management Infrastructure flaw is one of four vulnerabilities in the open-source project this month with the other three (CVE-2021-38645, CVE-2021-38648 and CVE-2021-38649) rated important. Microsoft said, in the critical flaw, an attacker could run malicious code by sending a specially crafted message to a port on the unpatched system.
Goettl said correcting this issue could prove difficult in some organizations because, as a Linux-based application, the affected system might be overlooked.
"We've gone away from the Linux specialist role to where the server administrator has to manage Windows and whatever else they're given," Goettl said. "There's some crossover between the IT admin side and the DevOps side, depending on the project. Management is getting more and more complicated for companies."
Microsoft also revised information for a Windows print spooler spoofing vulnerability (CVE-2021-1678) rated important. The company corrected the flaw on January Patch Tuesday by increasing the printer remote procedure call (RPC) authentication level and adding a new policy and registry keys that customers could use to enable or disable the enforcement mode on the server. According to a tweet from Elizabeth Tyler, a member of the Microsoft Detection and Response Team, the enforcement phase default behavior will now be set to "enabled" to protect devices.
"Remember that NTLM SFB/Printer RPC binding change CVE from back in Jan? CVE-2021-1678? Well enforcement phase comes this month. This means it doesn't matter what you set in the registry, the authorisation level will be set," she wrote.