Microsoft August Patch Tuesday: 44 fixes — and the Nightmare continues

August was a relatively light month for Microsoft vulnerabilities, but Patch Tuesday has fixes for several exploits, including — yet again — PrintNightmare.

As summer winds down, IT security is still very much at the forefront of the news. Blackhat USA conducted its annual cybersecurity event, for the 24th year, in Las Vegas as a combination virtual and in-person conference. Topics of the briefings indicate how much has changed over the last decade. Ten years ago, Windows vulnerabilities were the main focus — this year, cloud and platform security, vulnerabilities in macOS, Linux, AWS, and DNS dominate, along with issues pertaining to supply chain and health-care systems and other specialized verticals.

That doesn’t mean Microsoft was off the hook; Hyper-V, IIS, and the Windows heap-backed kernel pool were also targeted, but it does show that you can’t escape the attackers by switching to a different operating system. Meanwhile, all software vendors have to remain vigilant and work to find and fix the vulnerabilities that inevitably exist in their products and services.

This month’s slate of Microsoft vulnerability fixes is relatively small in comparison to that of July, with fewer than half the number of patched security issues. This time, we see 44 vulnerabilities addressed, seven of which are rated critical. Three are classified as zero-day vulnerabilities that had been publicly disclosed before the patch release, but an active exploit has been detected for only one of them.

Let’s take a look at this month’s critical and important updates.

Overview

  • As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide website for a full list of the August releases. This month’s updates apply to a broad range of Microsoft products, features, and roles, including .NET Core & Visual Studio, ASP .NET, Azure, Azure Sphere, Microsoft Azure Active Directory Connect, Microsoft Dynamics, Microsoft Graphics Component, Microsoft Office, Microsoft Office SharePoint, Microsoft Office Word, Microsoft Scripting Engine, Microsoft Windows Codecs Library, Remote Desktop Client, Windows Bluetooth Service, Windows Cryptographic Services, Windows Defender, Windows Event Tracing, Windows Media, Windows MSHTML Platform, Windows NTLM, Windows Print Spooler Components, Windows Services for NFS ONCRPC XDR Driver, Windows Storage Spaces Controller, Windows TCP/IP, Windows Update, Windows Update Assistant, and Windows User Profile Service.

Many of the CVEs that are addressed include mitigations, workarounds, or FAQs that may be relevant to specific cases, so be sure to check those out if you cannot install the updates due to compatibility or other reasons.

In this blog post, we’ll focus on the critical issues since they pose the greatest threat.

The most high-profile issue, the ongoing PrintNightmare nightmare, has been addressed — again. Here’s hoping this time will fully fix the issue. A vulnerability in the print spooler was discovered and disclosed in June, and Microsoft released an out-of-band update to patch it. Unfortunately, that wasn’t the end of it, as another vulnerability was then discovered in the Point and Print feature. This month’s patch addresses that problem. The new fix will require users to have admin privileges to install printer drivers using this feature. We’ll discuss it more below.

Critical and exploited vulnerabilities

This year has seen an increase in zero-day disclosures and attacks, so we will look first at this month’s zero-day vulnerabilities that have been fixed.

Vulnerability being exploited in the wild

The following vulnerability is the only one this month to have been detected as having already been exploited in the wild:

  • CVE-2021-36948Windows Update Medic Service Elevation of Privilege Vulnerability. This is an elevation of privilege issue that is rated Important. Still, it has been exploited in the wild, and the exploit can result in a total loss of confidentiality, integrity, and availability. No user interaction is required to accomplish the exploit. It affects Windows 10 and Windows Server 2019, as well as Windows Server versions 2004 and 20H2 (includes Server Core installations).

Other vulnerabilities exposed prior to patch release

The remaining two zero-day vulnerabilities (which did not yet have any known exploits detected in the wild) include:

  • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability. This is the latest iteration of the infamous multi-part PrintNightmare discussed above. It is rated critical. The exploit can result in a total loss of confidentiality, integrity, and availability. No user interaction is required to accomplish the exploit. It affects Windows 7, 8.1, RT 8.1, and Windows 10 client operating systems, as well as Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, and versions 2004 and 20H2 (includes Server Core installations).
  • CVE-2021-36942 – Windows LSA Spoofing Vulnerability. This is another that’s rated important. Exploit can result in a total loss of confidentiality, but there is no loss of integrity or availability. No user interaction is required to accomplish the exploit. It affects Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, and versions 2004 and 20H2 (includes Server Core installations). Client operating systems are not affected.

Other critical vulnerabilities patched

patch tuesday

Seven vulnerabilities this month were classified as critical, including the one above. The following six vulnerabilities are all rated critical but had not been disclosed or exploited prior to patch release:

  • CVE-2021-34530 – Windows Graphics Component Remote Code Execution Vulnerability. This is a vulnerability by which the attacker accomplishes an exploit by accessing the target system locally or remotely, or the attacker relies on user interaction to exploit the vulnerability. The exploit can result in a total loss of confidentiality, integrity, and availability. It affects Windows 10 and Windows Server 2019, as well as Windows Server versions 2004 and 20H2 (includes Server Core installations).
  • CVE-2021-34480 – Scripting Engine Memory Corruption Vulnerability. This is a remotely exploitable vulnerability, which requires no privileges but does require user interactions to exploit the vulnerability. The exploit can result in total loss of confidentiality and integrity, but availability is not affected. It affects Windows 7, 8.1, RT 8.1, and Windows 10 client operating systems, as well as Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, and versions 2004, 20H2, and 21H2 (includes Server Core installations).
  • CVE-2021-34535 – Remote Desktop Client Remote Code Execution Vulnerability. This is a remotely exploitable vulnerability, which requires no privileges but does require user interactions to exploit the vulnerability. The exploit can result in a total loss of confidentiality, integrity, and availability. It affects Windows 7, 8.1, RT 8.1, and Windows 10 client operating systems, as well as Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, and versions 2004 and 20H2 and 21H2 (includes Server Core installations).
  • CVE-2021-34534 – Windows MSHTML Platform Remote Code Execution Vulnerability. This is a remotely exploitable vulnerability, which requires no privileges but does require user interactions to exploit the vulnerability. The exploit can result in total loss of confidentiality and integrity, but availability is not affected. It affects Windows 10 and Windows Server 2016 and 2019.
  • CVE-2021-26432 – Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability. This is a remotely exploitable vulnerability, which requires no privileges and does not require user interactions to exploit the vulnerability. The exploit can result in a total loss of confidentiality, integrity, and availability. It affects Windows 8.1, RT 8.1, Windows 10, and Windows Server 2012, 2012 R2, 2016, 2019, and versions 2004 and 20H2 and 21H2 (includes Server Core installations).
  • CVE-2021-26424Windows TCP/IP Remote Code Execution Vulnerability. This is a remotely exploitable vulnerability, which requires a low level of privileges and does not require user interactions to exploit the vulnerability. The exploit can result in a total loss of confidentiality, integrity, and availability. It affects Windows 7, 8.1, RT 8.1, and Windows 10 client operating systems, as well as Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, and versions 2004, 20H2, and 21H2 (includes Server Core installations).

Important and moderate updates

In addition to the critical and zero-day updates listed above, this month’s patches address a total of thirty-seven important vulnerabilities (including the two zero-days discussed above). You can find these in the Security Updates Guide.

Other updates

The following cumulative update was released for Microsoft’s IE 11 web browser:

KB5005036: Cumulative security update for Internet Explorer

Advisories

KB5005652 – Manage new Point and Print default driver installation behavior. This advisory contains instructions on how to edit a registry key to modify the default behavior of the update for CVE-2021-34481, which by default requires admin privileges to install printer drivers using Point and Print. This is for organizations that need users without administrative privileges to be able to install printer drivers via Point and Print. It is recommended that in this case, you permit users to only connect to specific trusted printers or specific trusted Package Point and Print servers by using Group Policy. Instructions for this are included in this advisory.

Applying the updates

Most organizations will deploy Microsoft and third-party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.

Most home users will receive the updates via the Windows Update service that’s built into the operating system.

Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog.

Known Issues

Before installing updates, you should always research known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes for this month’s updates.

Malicious Software Removal Tool (MSRT) update

The MSRT is used to find and remove malicious software from Windows systems, and its definitions are updated regularly. The updates are normally installed via Windows Update, but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in Remove specific, prevalent malware with Windows Malicious Software Removal Tool (KB890830) (microsoft.com)

Third-party releases

In addition to Microsoft’s security updates, this month’s Patch Tuesday brought two updates from Adobe and updates from Mozilla for Thunderbird, Firefox 91, and Firefox ESR, all of which will be discussed in more detail in this month’s Third-Party Patch Roundup at the end of August.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top