Safety is more important than ever and ransomware is bigger and nastier than ever. Barely a week goes by without another major ransomware attack.
One way to slow down or even stop such attacks is to keep your critical applications and operating systems up to date. There is only one small problem with that. These fixes, especially Microsoft’s Windows fixes, can cause more problems than they are worth. What’s a business to do?
Take for example, Print Nightmare. These security holes in the Windows Print Spooler service are significant enough to launch a first generation HP 71-pound printer. A variety of attacks are now available, allowing the compromise of not only your Windows 7 and 10 PCs, but your Windows servers as well. Is it a big bug or what?
But wait there is more. It’s not a single bug. It’s actually a pair of security holes: CVE-2021-34527 and CVE-2021-1675, the last of which was “fixed” throughout Microsoft’s June Patch Tuesday. This print spooler bug allowed hackers with limited system rights on an individual machine to elevate privileges to the administrator level. This LPE (elevation of local privilege) bug was bad, but not really a nightmare. I would call this a “fix it and forget it” security hole.
Ah, but then two security researchers delved into Windows and found another printer spooler bug: 34527. They thought they had just found another angle on 1675. They were wrong. And there was no patch available for 34527.
This could be operated as both LPE and Remote Code Execution (RCE). Do you know what happens when you assemble an LPE and an RCE? You get a remote attack on your corporate network that can attack any machine you own.
Yes, that is, there is a protocol that you can use to manipulate remote machines. Guess what? There was. Another researcher, who uses the nickname Cube0x0, revealed that you could abuse this exploit via Print System Asynchronous Remote Protocol (MS-PAR).
The researchers tried to take their discovery offline when they realized what they had done, but it was too little, too late. Once something is revealed on the Internet, it is available forever. As of this writing, there are at least three public proof of concept exploits.
On July 6, Microsoft issued an emergency “fix it now!” ” room. There are two problems with this. First, the fix is not available for Windows 10 1607, Windows Server 2012, and Windows Server 2016. It’s annoying. Second, and just as badly, it turns out that it won’t work if your machines use Point and print, making it easier for your employees to access printers.
It’s a real mess. As Will Dormann, Senior Vulnerability Analyst at CERT, said, “This is the biggest case I have dealt with in a very long time. ” You think? As of this writing, there are millions of business PCs (let’s not even think of all home PCs) open to this attack.
There are things you can do about it, but no business really wants to take these steps. For example, you can prevent your employees from printing anything by disabling the print spooler, with the following PowerShell commands:
- Stop-Service -Name spooler -Force
- Set-Service -Name Spooler -StartupType disabled
I mean, the printers. Who needs it? Am I right?
On a more practical level, if you allow Internet access to print spoolers on your servers or PCs, block it. Block it now. That’s what firewalls are for. Use them. It won’t stop anyone inside your network from deciding to mock your machines, but at least you can avoid J. Random Hacker.
But back to the original question: to patch or not to patch?
In this case, it wouldn’t have made much of a difference anyway. Still, let’s get back to the February Patch Tuesday. If you were still using Windows 10 1909 on a Wi-Fi network with Wi-Fi Protected Access 3 (WPA3) security, there is a good chance that you would get a Blue Screen of Death.
So how do you strike the right balance between getting the security you need without sacrificing the IT stability of your team? If you’re like most small businesses, you can’t afford to hire a full-time security expert. But there are steps you can take to protect your business, regardless of your IT budget.
At the same time, no one should blindly follow Microsoft’s recommendation to fix it as soon as possible. I know from bitter personal experience how difficult it can be to fix Windows.
At a minimum, to reduce your risk, back up all your Windows systems immediately before applying the patches. That way if something goes horribly wrong you can always reset and wait for a good fix to appear.
The other thing you need to do is maintain a standard Windows system that reflects all the standard configurations of your working PCs. This machine is your designated sacrifice box – use it to install all the latest patches. Then run all your apps to see if anything is wrong. If all is well on your test PC after a day or two, update all of your other machines.
Of course, you’ll always be open to zero-day attacks like PrintNightmare, but we’re all vulnerable to them. If security is truly a top priority for your business, leave Windows behind and get a Linux desktop instead. They are an order of magnitude more secure.
I know most people can’t or won’t take this advice. Let’s face it, most of us are stuck with Windows. But if you’re trying to strike a balance between fixes and stability, you’ll be glad you did. After all, it’s not about whether you’re going to be hit by a security attack or a bad patch, but when.
Then read this:
Copyright © 2021 IDG Communications, Inc.