Microsoft is struggling through a rough July for security issues even as the company continues to add more cybersecurity capabilities through acquisitions.
The software giant earlier this month issued an emergency update in Windows after researchers at cybersecurity vendor Sangfor published a blog about a security flaw dubbed “PrintNightmare.” Sangfor had published the exploit code, which could help bad actors understand how to use it to break into systems running all versions of the operating system.
That problem was followed later in the month by another vulnerability in the Windows Print Spooler service in Windows, this one that could allow for local privilege execution at the SYSTEM level. Microsoft issued a workaround for this issue while it developed a patch. The service essentially is the go-between for Windows and printers.
Most recently, another escalation privilege bug affecting Windows 10, called SeriousSAM and impacting the Security Accounts Manager (SAM) database in all versions of Windows 10, could enable attackers to reach the SYSTEM level to data on a system and create accounts. Another workaround was suggested by the company.
And Microsoft Exchange vulnerabilities were at the center of U.S. hacking allegations against China.
Microsoft and Security
The bad luck streak harkens back to the days a decade or more ago when Microsoft was seen as a company that was more concerned with the features it could add to its dominant operating systems than with the security of the OS. But that would be an unfair assessment, according to Chris Gonsalves, vice president of research at Channelnomics, adding that Microsoft is better at security now than at any other point in its history.
Gonsalves noted that Microsoft’s actions around both the Print Spooler and SeriousSAM vulnerabilities have been good, both in the company’s mitigation responses and its interactions with the researchers in the industry.
“If you get hit with three things in a month, it’s kind of kismet,” he told eSecurity Planet. “It is a critical mass of those things and it seems overwhelming. It seems like things are really bad. The other part of it is a lot of people are banging around the edges of Microsoft right now because Windows 11 is on the horizon. At least in a couple of cases here, these research programs began as folks looking at beta code for Windows 11 and discovering things that ultimately retrograded back to Windows 10. But they were essentially looking for things in Windows 11 and that activity on the cusp of what’s going to be a very high-profile rollout of the most popular operating system on the planet is also a part of this.”
One piece of evidence that Microsoft is taking security seriously is how well its free Defender software has performed in MITRE ATT&CK testing, which measures the effectiveness of endpoint security products against aggressive threat actors.
Security Buying Spree
At the same time that its security is under renewed scrutiny, Microsoft has made several acquisitions in recent months to bulk up its security capabilities, including in the cloud, where it is the second-largest public cloud provider with Azure, behind Amazon Web Services (AWS). The company this week announced the acquisition of CloudKnox Security, a player in the cloud infrastructure entitlement management (CIEM) space that brings with it a platform to help monitor and manage identities and resources in multicloud and hybrid cloud environments.
That news came less than two weeks after Microsoft unveiled its acquisition of startup RiskIQ and its threat intelligence services for more than $500 million, and three weeks after announcing it was buying ReFirm Labs to strengthen its Internet of Things (IoT) security capabilities.
“Our acquisition of CloudKnox, like our recent acquisition announcements on RiskIQ and ReFirm Labs, shows our focus and execution in acquiring, integrating and expanding the strongest defenses for our customers – from chip to cloud – backed by more than 3,500 defenders at Microsoft and the more than 8 trillion security signals we process every day,” Joy Chik, corporate vice president of Microsoft Identity, wrote in a blog post.
The Flaws in Windows
With the SeriousSAM flaw – CVE-2021-36934 – the SAM feature in Windows is designed to hold user accounts, credentials and domain information. An attacker would need remote or local access to a Windows 10 system, but once in, could access the SAM database. They then could take the hashed credentials offline, decrypt them and use them to get by the OS user access controls.
In an advisory, Microsoft said that the “elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Like SeriousSAM, the Print Spooler vulnerability found mid-month (CVE-2021-34481) also allows for local privilege escalation. According to a Microsoft advisory, this flaw “exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
To leverage the flaw, the bad actor would need to be able to execute code on a compromised system. As a workaround, the vendor recommended stopping and disabling the Print Spooler service.
PrintNightmare is a remote code execution vulnerability – CVE-2021-34527 – also within the Windows Print Spooler service. It caught the attention of U.S. agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and CERT Coordination Center, which highly recommended agencies disable the service.
The vulnerability enables an authenticated user to get system-level access on compromised systems and to Active Directory administrative servers and domain controllers. Through this access, cybercriminals can insert malware and run arbitrary code, allowing them to create new user accounts or change, view or delete data. Microsoft delivered a patch for the vulnerability.
User Experience at Issue
Channelnomics’ Gonsalves said the flaws are serious but it’s doubtful that there will be a rush among bad actors to take advantage of them, at least in the short term.
“There are exploits in the wild now, but these are the products of what you would expect to see from a robust research community banging away at stuff and dutifully notifying,” he said. “We hear more about this than the hoi-polloi of cybercriminals, who continue to leverage things that are older than you and me.”
Some of these vulnerabilities were the result of Microsoft trying to improve the user experience in Windows.
“Part of the issue with something like PrintSpooler is that it was not a great program,” Gonsalves said. “The same with SeriousSAM. Fundamental errors were made and if you take apart the motivations for those programming errors, it was really an effort to make things easier for users.”
With Print Spooler, “you want somebody who doesn’t have admin rights to at least be able to choose a printer and install a printer driver to get their work done,” he said. “What you didn’t think through is that if you do that and [an attacker is] able to copy the envelope where the drivers live and spoof the drivers and run other kinds of unauthorized code, you have a privilege escalation problem on your hands. They didn’t think that through. So it’s not great programing, but they were trying to make life easier for the users.”