Researchers at security firm Sangfor recently found a Windows vulnerability that could allow hackers to remotely gain access to the operating system, installed programs, view and delete data, and cause other havoc. And it’s caused by an exploit through the software that handles your queue of print jobs, hence its nickname: PrintNightmare.
The patching process (through which programs are updated to improve their security, performance, or other features) for PrintNightmare has been… well, to the delight of headline writers the world around, something of a nightmare. As of publishing, there have been two separate patches that haven’t fully resolved the issue. We’re going to take a dive into this particular vulnerability, the issues people and companies have with patching, and why even flawed patches are important.
How PrintNightmare works, and what’s special about it
The vulnerability deals with an issue with the Windows print spooler, the software that handles sending things to be printed to the printer.
Vulnerabilities get announced fairly often. What complicates matters, in this case, is that Sangfor also accidentally leaked information on how the vulnerability could be exploited by hackers. This information offered a guide for hackers to unleash a zero-day exploit.
How does PrintNightmare affect me?
Because PrintNightmare involves the printing functionality on Windows computers, this exploit impacted more people in the day-to-day than most. CERT Coordination Center (CERT/CC) recommended that prior to a fix, organizations disable their print spooler software. This is a classic example where security and usability clash — not being able to use your printer is an incredibly frustrating experience for the average person.
How does something like PrintNightmare get fixed?
Companies release updates to programs to improve their security, performance, or other features in what’s known as patching. Patching software up to date increases your cybersecurity protection and protects you against vulnerabilities. It’s up to individuals and companies to patch their computers and software as needed.
As an MSP, we oversee patching and monitoring for many different organizations. When something like PrintNightmare is announced, we spring into action. Integris vCISO Nick McCourt talked about this in a recent discussion. Something of this level requires a roundtable with a roster of engineers, technicians, and directors.
Our team looks at the criticality of the vulnerability in question, as well as its potential impact on us and our clients. We maintain asset listings, which we use in situations like this to check and see who has what applications, computers, and servers that might be impacted.
For something like PrintNightmare, our first priority was to look at servers that are public and interacting with the world. Anything along this line that is not absolutely essential for the organization is getting turned off until Microsoft develops a solution in the form of a patch.
From there, we’re reconfiguring to mitigate these vulnerabilities as much as possible and stopping or applying patches as needed. The bottom line is that there is a real process for each of our clients, and it’s tailored to impact and criticality.
Microsoft’s initial patches didn’t fix the issue, but they’re still important
Microsoft released an emergency patch outside of their normal patching schedule because of how serious this issue was. But questions were raised when it was discovered the next day that the patch wasn’t bulletproof, and there was still an opportunity for hackers to exploit the flaw. On August 10th, Windows released another update, but researchers still reported that they had found ways around the fixes.
It’s true that Microsoft’s initial patches haven’t completely fixed the vulnerability. But they did fix significant issues found with the vulnerability — just not all of them. These are still important patches to receive and install ASAP.
From Integris vCISO, Nick McCourt:
It’s better to install that than not to have it, because if you don’t have it and you fall behind on the patching, it may be that there is some sort of security patch that addresses a vulnerability like this that if you just don’t have it at all, then that’s not really on Microsoft. For example, it’s not Microsoft’s fault if they provided you with a patch and you didn’t install it.
If on the other hand, they did provide you with a patch, you did install it and there’s still a problem… that’s something that Microsoft, as a software vendor and a developer, has to fix. That’s on them.
It’s easy to think of Microsoft’s patches in this case like a vaccine: no vaccine is 100% effective, but they still offer protection.
Why do some companies not patch and update?
The fact that the vulnerability is not completely solved shows, in some people’s minds, the unimportance of patching. There are many potential reasons why an individual or company patches sporadically or doesn’t patch at all.
For starters, it costs time and money to have someone patch. If you don’t have a dedicated IT staff, it might not be getting addressed at all. And even if you have an IT team, it can often be the perfect combination of “tedious” and “not urgent enough” that it becomes prime procrastination material.
You also can only patch what you know is there. Plenty of homes and offices have dusty old computers or machines that are unused but still functional and potentially connected to the internet. These are dangerous from a cybersecurity standpoint because almost no one is checking for them. Even for companies that have IT, if there’s no up-to-date technology asset inventory, things could be falling through the cracks.
A big concern for some is that patching inherently introduces risk into the equation. Sometimes patches can break something important in unexpected ways. Companies sometimes think it’s safer to not patch because of this. Of course, most patches do not cause these issues, and many of the issues can be mitigated by testing the patches — but again, it comes back to time/money/effort for this. As an MSP, we typically send out whitelisted patches first and then send our other patches after we test them. But most importantly, patching protects you from major vulnerabilities, which have a much larger risk of harm than the patches themselves.
Incorporate patching into your business
Patching is not an inherent lost cause. Companies ultimately need to make patching a priority in their organizations and develop a plan for regular updates. In an ideal world, patching is just another task for business-as-usual.
What this requires is having an advocate (ideally, multiple advocates) who make a place for security in their organization. Patching is just one part of a cybersecurity plan. Other parts of this plan, like having a technology asset inventory, are important in their own right and also help out in events like this.
Interested in delving deeper into your organization’s patching situation? Reach out to Integris today.