Take, for example, PrintNightmare. These security holes in the Windows Print Spooler service are large enough to throw a 71-pound, first-generation HP printer through. A variety of attacks are now out there, allowing compromise of not just your Windows 7 and 10 PCs, but your Windows servers as well. Is this a great bug or what?
But wait there's more. It's not a single bug. It's actually a pair of security holes: CVE-2021-34527 and CVE-2021-1675, the latter of which was "fixed" in Microsoft's June Patch Tuesday set. This print spooler bug enabled hackers with limited system rights on an individual machine to escalate privilege to the administrator level. This LPE (local privilege escalation) bug was bad, but hardly a nightmare. I'd call it a "patch it and forget it" security hole.
Ah, but then a pair of security researchers looked deeper into Windows and found yet another printer spooler bug: 34527. They thought they'd just found another angle on 1675. They were wrong. And there was no patch available at all for 34527.
This one could be exploited both as an LPE and as remote code execution (RCE). Do you know what happens when you put an LPE and RCE together? You get a remote attack across your business network that can attack every machine you've got.
If, that is, there's a protocol you can use to manipulate remote machines. Guess what? There was. Yet another researcher, who goes by the handle Cube0x0, revealed that you could abuse this exploit via the Print System Asynchronous Remote Protocol (MS-PAR).
The researchers tried to take their discovery offline when they realized what they'd done, but it was too little, too late. Once something has been revealed on the internet, it's available forever. As I write this, there are at least three public proof-of-concept exploits out there.
On July 6, Microsoft issued an emergency "fix this right now!" patch. There are two problems with this. First, the patch isn't available for Windows 10 1607, Windows Server 2012, and Windows Server 2016. That's annoying. Second, and just as bad, it turns out it won't work if your machines use Point and Print, which makes it easier for your workers to access printers successfully.
This is a real mess. As Will Dormann, a CERT senior vulnerability analyst, said, "It's the biggest deal I've dealt with in a very long time." Ya think? As I write this, there are millions of business PCs (let's not even think about all the home PCs) open to this attack.
There are things you can do about it, but no business really wants to take these measures. For example, you can keep your employees from printing anything by turning off the Print Spooler, with the following PowerShell commands:
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
I mean, printers. Who needs 'em? Am I right?
On a more practical level, if you allow internet access to your servers' or PCs' print spoolers, block this. Block it now. That's what firewalls are for. Use them. It won't stop anyone from inside your network from deciding to screw around with your machines, but at least you can stave off J. Random Hacker.
But back to the original question: To patch or not to patch?
In this case, it wouldn't have made a lot of difference either way. Nonetheless, let's step back to February's Patch Tuesday. If you were still using Windows 10 1909 on a Wi-Fi network with a Wi-Fi Protected Access 3 (WPA3) security, chances are good you'd get a Blue Screen of Death.
So, how do you balance getting the security you need without sacrificing your crew's computing stability? If you're like most small businesses, you can't afford to hire a full-time security expert. But there are steps you can take to protect your business, no matter how small your IT budget.
At the same time, no one should blindly follow Microsoft's recommendation to patch as soon as possible. I know from bitter personal experience how much trouble you can get into patching Windows.
At a minimum, to reduce your risk, back up all of your Windows systems immediately before patching. That way, if something goes horribly wrong, you can always reset and wait for a good patch to appear.
The other thing you should do is maintain one standard Windows system that mirrors all your work PCs' standard configurations. This machine is your designated sacrifice box—use it to install all the latest patches. Then run all your applications to see if anything goes badly wrong. If all's fine on your test PC after a day or two, update all your other machines.
Of course, you'll still be open to zero-day attacks like PrintNightmare, but we all are vulnerable to those. If security really is a top priority for your company, then leave Windows behind and get a Linux desktop instead. They're an order of magnitude safer.
I know most people can't or won't take that advice. Face it, most of us are stuck with Windows. But if you try to find a balance between patching and stability, you'll be glad you did. After all, it's not a matter of if you're going to get whacked by a security attack or a bad patch, but when.
Good luck.
|
