Microsoft Patch Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/microsoft-patch/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 15 Dec 2021 22:40:52 +0000 en-US hourly 1 https://wordpress.org/?v=95997 200474804 Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/ https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/#respond Wed, 15 Dec 2021 21:13:40 +0000 https://gridinsoft.com/blogs/?p=6669 The latest of this year, December’s patch Tuesday brought fixes for six 0-day vulnerabilities in Microsoft products, including a bug in the Windows AppX Installer that uses Emotet malware to spread. Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft… Continue reading Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

]]>
The latest of this year, December’s patch Tuesday brought fixes for six 0-day vulnerabilities in Microsoft products, including a bug in the Windows AppX Installer that uses Emotet malware to spread.

Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.

Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.

One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.

An attacker could create a malicious attachment for use in phishing campaigns. The attacker would then have to convince the user to open that attachment. Users whose accounts are configured with fewer rights in the system may be affected to a lesser extent than users who work with administrator rights.the company warns.

Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.

Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:

  • CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
  • CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
  • CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
  • CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
  • CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-patches-windows-appx-installer-vulnerability/feed/ 0 6669
Microsoft declares that Printnightmare patch works correctly https://gridinsoft.com/blogs/microsoft-declares-that-printnightmare-patch-works-correctly/ https://gridinsoft.com/blogs/microsoft-declares-that-printnightmare-patch-works-correctly/#respond Mon, 12 Jul 2021 16:53:18 +0000 https://blog.gridinsoft.com/?p=5692 Previously, many IS researchers warned that Microsoft’s emergency patch for a dangerous Printnightmare vulnerability was ineffective and that it did not eliminate the problem completely. Let me remind you that the experts found that even after installing the correction, vulnerability can still be operated locally to obtain System privileges. Worse, the developer Mimikatz Benjamin Delp… Continue reading Microsoft declares that Printnightmare patch works correctly

The post Microsoft declares that Printnightmare patch works correctly appeared first on Gridinsoft Blog.

]]>
Previously, many IS researchers warned that Microsoft’s emergency patch for a dangerous Printnightmare vulnerability was ineffective and that it did not eliminate the problem completely.

Let me remind you that the experts found that even after installing the correction, vulnerability can still be operated locally to obtain System privileges. Worse, the developer Mimikatz Benjamin Delp reported that the patch can be completely bypassed and that the vulnerability can be used not only for local privileges, but also for remote execution of arbitrary code.

To do this, the Point and Print RESTRICTIONS policy should be active, and the “WHEN INSTALLING DRIVERS FOR A NEW CONNECTION” parameter must be set to “Do Not Show Warning On Elevation Prompt”.

Now Microsoft responded to these warnings and reported that the patch works correctly:

Our investigation has shown that unscheduled security update is working properly and effectively against famous exploits and other public reports that are combined as Printnightmare. All reports we studied were based on changing the default registry settings associated with the Point and Print function, on an unsafe configuration.the company said.

Microsoft engineers updated Printnightmare Problem Correction Guide and still encourage users to install patches as soon as possible. Now the manual looks like this:

In any case, apply the patch for CVE-2021-34527 (update will not change the existing registry settings);

  • After applying the update, check the registry settings documented in the CVE-2021-34527 description;
  • If the registry keys listed there do not exist, further actions are not required;
  • If the registry keys exist, it is necessary to confirm that the following registry keys are set to 0 (zero) or they are missing:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrintNoWarningNoElevationOnInstall = 0 (DWORD) or not set (by default) and UpdatePromptSettings = 0 (DWORD) or not set (by default).

However, in addition to the effectiveness of an unscheduled patch, other difficulties arose with it. The Bleeping Computer media reported that the KB5004945 update, designed to eliminate Printnightmare, violated work of some models of Zebra and Dymo printers.

After the release of the patch, users started massively complaining on Twitter and on Reddit that the work of Zebra printers has become impossible. According to the victims, the problem affected only printers directly connected to Windows devices via USB. Zebra printers connected to the print server have not been injured.

We have about 1,000 clients using Zebra printers, and they called us repetitively because they cannot print. Surely this update is responsible for it, because after its rollback [printer] again spits [labels].writes one of the users.

It was reported that the bug affected only certain Zebra models, including the most popular: LP 2844, ZT220, ZD410, ZD500, ZD620, ZT230, ZT410 and ZT420.

Zebra developers confirmed that they know about the problem. The company advised:

Immediate way to solve the problem is to delete the update KB5004945 for Windows or delete the appropriate printer driver and reuse it using the administrator credentials.

However, the situation was aggravated by the fact that it is a mandatory security update, which means, after some time, Windows will automatically set it again.

Interestingly, Microsoft reported that these failures are not associated with CVE-2021-34527 and CVE-2021-1675, but caused by changes in the preview version of the cumulative update for June 2021. Developers have released emergency patches for Windows 10 2004, Windows 10 20H2 and Windows 10 21H1 to eliminate bugs.

After installing the updates of KB5003690 or later (including additional updates to KB500476 and KB5004945), you could have problems with printing on certain printers. The most vulnerable devices are printers for printing checks and labels that are connected via USB.Microsoft wrote.

Fixes are deployed using Microsoft Known Issue Rollback (KIR), which distributes patches for known errors through Windows Update. That is, patches should get to most users in the next day.

The post Microsoft declares that Printnightmare patch works correctly appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-declares-that-printnightmare-patch-works-correctly/feed/ 0 5692
The official patch for the PrintNightmare vulnerability was ineffective https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/ https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/#respond Thu, 08 Jul 2021 19:05:22 +0000 https://blog.gridinsoft.com/?p=5687 Earlier this week, Microsoft released an emergency patch for a critical PrintNightmare bug recently discovered in Windows Print Spooler (spoolsv.exe), but it was ineffective. Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify… Continue reading The official patch for the PrintNightmare vulnerability was ineffective

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.

]]>
Earlier this week, Microsoft released an emergency patch for a critical PrintNightmare bug recently discovered in Windows Print Spooler (spoolsv.exe), but it was ineffective.

Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

At the same time, cybersecurity researchers quickly discovered that these fixes were incomplete, since the vulnerability could still be exploited locally to gain SYSTEM privileges. In particular, this information was confirmed by Matthew Hickey, co-founder of Hacker House, and Will Dormann, analyst at CERT/CC.

As it turned out now, the problem is even more serious than they thought. Other researchers also began modifying their exploits and testing the patch, after which it turned out that the fix could be easily bypassed, with exploitation of the vulnerability not only for local privilege escalation, but also for remote execution of arbitrary code.

Mimikatz developer Benjamin Delp writes that the patch can be bypassed if the Point and Print Restrictions policy is active, and the “When installing drivers for a new connection” parameter should be set to “Do not show warning on elevation prompt”.

Matthew Hickey told Bleeping Computer that users are still better off turning Print Spooler off altogether, blocking printing locally and remotely (until a full patch is available).

Also, the publication itself notes that the unofficial micropatch from the developer 0patch turned out to be more effective, and can be used instead of the official one. However, this third-party solution conflicts with Microsoft’s July 6, 2021 patch, so 0patch can only be applied instead of the official one.

Microsoft says it is already aware of the experts’ findings, and the company is already investigating these reports.

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/feed/ 0 5687