ISSUE 18.27.F • 2021-07-19

MAKING A DIFFERENCE

For 40 years, Feeding America has responded to the hunger crisis in America by providing food to people in need through a nationwide network of food banks. Join Fred Langa in helping the hunger crisis this summer. Thank you. Fred Langa, Columnist AskWoody Tech LLC donated the space for this message and receives no compensation of any kind.

PATCH WATCH

By Susan Bradley

Every month brings the usual suspects — zero-day vulnerabilities, remote code execution, denial of service attacks, plus the odd Defender bug here and there.

But as we count up the vulnerabilities, there is a disturbing trend. If you go by head counts of the bugs in each version, Windows 10 has more bugs this month than Windows 7.

There have certainly been times in the past when a bug really did affect an older version of an operating system but couldn’t be fixed because it would have broken customers still using the older platforms. But as Microsoft layers on more protections in Windows 10, it opens up more vulnerabilities. A case in point is Windows Hello (facial recognition instead of passwords), which can be tricked into allowing an attacker to bypass the authentication (see Bleeping Computer).

Mind you, with physical access to a computer, there are LOTS of ways you can bypass security, so I see this more as a concern for businesses than for home users. Windows 11’s hardware mandates mean that Microsoft can introduce more security to the platform via virtualization-based security, which allows the system to isolate the operating system from the application and thus ensure that malicious files and applications can’t gain access to your system. But — and here’s the big but — users of the Windows 11 Home edition won’t be licensed for these features. Even many small businesses won’t be purchasing the needed “E3” or “E5” license in order to enable these features. A Twitter user put it best: “Telling Windows Home users that they should actually want to use new PCs with Windows 11 so they can take advantage of VBS defenses that “stop 60% of malware” when Home edition doesn’t even get most of those defenses, really is pretty crappy.”

Don’t get me wrong. I’m looking forward to the advances that the Trusted Platform Module can bring to the table. As Ben Myers stated last week in his excellent TPM article, “the role of TPM 2.0 in Windows 11 is simply to ensure, with appropriate software support, trustworthy transactions within a single computer and between computers. A transaction may be anything from a simple cut-and-paste between two programs to an electronic payment made for you by your bank.” To this I would add: but not if all of us with consumer and home computers are locked out of participating in that goodness.

I would rather we not run our critical banking information on an out-of-date Windows 7 (or, worse yet, Windows XP) PC, but it’s discouraging never to feel like we’re gaining on the bad guys. And even when such things as ransomware websites are shut down, they always seem to be back in business in short order. Windows 7 had 30 vulnerabilities for the month of January and Windows 10 had 73 , including five HEVC video vulnerabilities that were patched through the Microsoft Store. Looking at it based purely on the type and number of vulnerabilities addressed with patches each month, Windows 11 is going to have to get a lot more secure before we start making headway.

Recommendations for consumer and home users

While there are quite a few zero-day vulnerabilities in the July security updates, I’m still not going to deviate from my wait-and-see attitude for consumers and home users. The good news is that this month’s Windows 10 updates include a fixed version of the PrintNightmare update, so you don’t have to wait for the “fixed” fix to remove the bad code on your computer and roll it back to the working printer code. As Microsoft notes, “[T]his issue affects various brands and models, but primarily receipt or label printers that connect using a USB port.”

Included in the updates is a vulnerability in the Scripting Engine that is under active attack. Microsoft doesn’t make clear whether these are merely targeted attacks or a widespread attack, so before updating, be extra careful where you surf, and make sure your browser is up to date and appropriately paranoid with plug-ins such as NoScript.

For the included Office vulnerabilities this month, we are once again fixing a remote code execution in Excel. If you receive Excel spreadsheets with macros from friends or family, be very careful: attackers are regularly abusing Excel 4.0 macros to drop malware onto our systems. Excel 4.0 macros may be old technology, but clearly they still work to gain access to our systems.

For now, pause updates while waiting to see whether there are more printing side effects from this month’s updates. For Windows 10, remember you can click on Start, Settings, Update and Security and then on Advanced options to pick a date in the future. For now, I’m looking at July 27 as a preferred install date. Alternatively, you can use WUMgr to defer updates. TomR posted an excellent document (PDF) in the forums about how to use WUMgr to control updates.

Recommendations for business users

If you still have an on-premises email server, spend time updating that server first before taking any other actions this month. The Exchange Server vulnerabilities (which allow remote code execution) came through the ZDI Pwn2Own contest, where contestants try to attack systems. If you use third-party antivirus software on your Exchange server, be aware of a possible slowdown triggered by this month’s updates. As Günter Born points out, AMSI integration can cause problems with various third-party antivirus scanners. You may have to disable AMSI integration in your antivirus product to get Outlook working properly.

This month, Microsoft will be mandating the enforcement phase of a change, first introduced in December updates, having to do with how Kerberos delegation can be used in attacks. The patch enforces the changes to address CVE-2020-17049. This attack is called “Kerberos Bronze Bit vulnerability,” and more information about it can be reviewed here.

Late on July 15, Microsoft released a security-vulnerability notice in the form of CVE-2021-34481 — yet another Print Spooler bug. It’s not as bad as PrintNightmare, because the bug can be accessed only locally, not remotely; but it still means that an attacker can use a Web-Browser attack or a phishing attack to take control of the system. It’s unclear when there will be a patch for this.

The earlier Print Spooler bug, called PrintNightmare, was fixed in the July 13 security releases. Should you decide to install updates, you won’t have to wait for the fix to be silently installed after you install the updates. Depending on your needs — and if your domain controller is only your domain controller and holds no other roles — I continue to recommend that you have the Print Spooler service enabled if only it is absolutely necessary. Otherwise, disable it.

For those of you in small businesses where your domain controller may also be the print server for the office, disabling the Print Spooler service is not an option. Viable workarounds are noted in the TrueSec blog if you can’t immediately patch.

Take extra care this month — check printing after installing this update.

References

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in the AskWoody Lounge!

In real life, Susan Bradley is a Microsoft Security MVP and IT wrangler at a California accounting firm, where she manages a fleet of servers, virtual machines, workstations, iPhones, and other digital devices. She also does forensic investigations of computer systems for the firm.

If you purchase after clicking this ad, AskWoody may receive a small commission.

FROM THE FORUMS

A new section has been added in the forums specifically dedicated to Backups. Some of our favorite vendors already listed. If you need help setting up backup software, this is the place to ask.

Susan Bradley remarked, “I think ANY computer issue can be proactively solved with a good backup. Join us in this new section to learn more.”

A few weeks ago, a new Windows 11 pre-release section was added to the forums, with these new topics:

With 32 topics already, the new section is sure to become increasingly interesting and valuable.

If you purchase after clicking this ad, AskWoody may receive a small commission.

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!

Like what you see in the AskWoody FREE newsletter? Become a PLUS member! As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters. Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums. The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.  Join AskWoody PLUS Today!