August 10, 2021

Microsoft today released software updates to plug at least 44 security vulnerabilities in its Windows operating systems and related products. The software giant warned that attackers already are pouncing on one of the flaws, which ironically enough involves an easy-to-exploit bug in the software component responsible for patching Windows 10 PCs and Windows Server 2019 machines.

Microsoft said attackers have seized upon CVE-2021-36948, which is a weakness in the Windows Update Medic service. Update Medic is a new service that lets users repair Windows Update components from a damaged state so that the device can continue to receive updates.

Redmond says while CVE-2021-36948 is being actively exploited, it is not aware of exploit code publicly available. The flaw is an “elevation of privilege” vulnerability that affects Windows 10 and Windows Server 2019, meaning it can be leveraged in combination with another vulnerability to let attackers run code of their choice as administrator on a vulnerable system.

“CVE-2021-36948 is a privilege escalation vulnerability – the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts,” said Kevin Breen of Immersive Labs. “In the case of ransomware attacks, they have also been used to ensure maximum damage.”

According to Microsoft, critical flaws are those that can be exploited remotely by malware or malcontents to take complete control over a vulnerable Windows computer — and with little to no help from users. Top of the heap again this month: Microsoft also took another stab at fixing a broad class of weaknesses in its printing software.

Last month, the company rushed out an emergency update to patch “PrintNightmare” — a critical hole in its Windows Print Spooler software that was being attacked in the wild. Since then, a number of researchers have discovered holes in that patch, allowing them to circumvent its protections.

Today’s Patch Tuesday fixes another critical Print Spooler flaw (CVE-2021-36936), but it’s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own, said Dustin Childs at Trend Micro’s Zero Day Initiative.

“Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug,” Childs said.

Microsoft said the Print Spooler patch it is pushing today should address all publicly documented security problems with the service.

“Today we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges,” Microsoft said in a blog post. “This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies the change. This change will take effect with the installation of the security updates released on August 10, 2021 for all versions of Windows, and is documented as CVE-2021-34481.

August brings yet another critical patch (CVE-2021-34535) for the Windows Remote Desktop service, and this time the flaw is in the Remote Desktop client instead of the server.

CVE-2021-26424 — a scary, critical bug in the Windows TCP/IP component — earned a CVSS score of 9.9 (10 is the worst), and is present in Windows 7 through Windows 10, and Windows Server 2008 through 2019 (Windows 7 is no longer being supported with security updates).

Microsoft said it was not aware of anyone exploiting this bug yet, although the company assigned it the label “exploitation more likely,” meaning it may not be difficult for attackers to figure out. CVE-2021-26424 could be exploited by sending a single malicious data packet to a vulnerable system.

For a complete rundown of all patches released today and indexed by severity, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that are causing problems for Windows users.

On that note, before you update please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.


31 thoughts on “Microsoft Patch Tuesday, August 2021 Edition

  1. AJNorth

    Thank you for the AskWoody.com plug, Brian!

    Cheers,
    AJN

    1. JamminJ

      Or free upgrades to Windows 10. Then all security updates are free.

          1. Other-anon

            Not really at all, 10 logs your app usage and opts in to telemetry then re-enables it multiple times even after the user turned it off via “security” update rollups. Not comparable.

            1. JamminJ

              10 is certainly more cloud service-y. Especially for home users.
              But 7 has its own long laundry list of things too.
              Anyone thinking that staying on Windows 7 somehow makes their computer use more private, is fooling themselves. If anything, now they’re struggling to keep secure too.

              1. Other-anon

                As far as privacy from MS, that’s nonsense entirely.

                1. JamminJ

                  Exactly my point. If you really care enough about privacy…. You shouldn’t keep Windows 7. I use Linux as daily driver.

                  This isn’t about defending Microsoft. It’s about recognizing that staying on Windows 7 isn’t any better.

                  I doesn’t matter if you pay for Window 7 updates or upgrade to Windows 10. You’re still in Microsoft’s ecosystem.

                  1. Other-anon

                    Windows 7 is objectively better in several privacy avenues.
                    The original point stands, maybe you don’t understand why.
                    That’s ok.

                    1. nobody

                      How is Windows 7 more private. I don’t see any reasoning here.
                      And are you suggesting a gain in privacy from Microsoft is worth the major loss of security updates?

        1. ytwokman

          If you are really concerned about that you can always run Pi-hole and send the background MS requests to the dustbin.

    2. P.D.

      …and 0Patch will do the same thing, in essence, for about $26 USD, vs. $140 USD for MSFT.

      Made my choice in January, never regretted using 0Patch.

  2. The Sunshine State

    Mozilla Firefox was updated to version 91.0

  3. OndraH

    CVE-2021-26424 (TCP/IP RCE) is exploitable only within Hyper-V host, when malicious guest sends specially crafted IPv6 ping to the host (according to MS statement: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26424). This is likely caued by unchecked bounds together with optimized communication within virtual switch (not segmenting/fragmenting large payloads when there is no need to do so). If this is true, there’s no worry about exploitation over real network (i.e. when the traffic goes through the physical NIC), although questions remain – what about jumbo frames and why CVSS attack vector is stated as “network” instead of “adjacent”?

  4. DannoB

    Microsoft is still releasing security patches for Windows 7. You just have to pay for them via the ESU.

  5. Marie Drape

    Well it screwed with my laptop! Now I have a ox that turns on but just sits with black screen

    1. Anthony

      had the same thing on a dell laptop… hold down the power button for 30 seconds, (more than 25, less than 40) to reset the system clock. it will wake back up.

      1. Jim Davis

        I’ve had an older Dell laptop go black screen on reboot a few times with MAJOR Win 10 updates. Screws with the video drivers !!! Have to boot in safe mode and then force install recent Intel video drivers to get back the video. A normal install is blocked .

        Nice huh.

    2. Anthony

      had the same thing on a dell laptop… hold down the power button for 30 seconds, (more than 25, less than 40) to reset the system clock. it will wake back up.

  6. zac

    wow I am glad I run linux. We get security issues too but never this bad or this often…

  7. MV

    Our printing through the print server is broken after this month’s updates

    1. pwank

      Some drivers (Type 3) that didn’t previously require admin rights to run do now.

      1. MV

        So even if an admin installs the driver, a non-admin user can’t use the driver?? That seems really counter productive.
        Most or all of our printers are applied via gpo, and this update killed them for non-admin users. Having users run as local admin is not good practice. We are testing different gpo settings to see if there is a way to make it work.

            1. JamminJ

              Not a guess. It works for me and a few thousand other systems I’ve already tested.

              With all things Microsoft, Your Mileage May Vary. Windows updates should always be tested.

    2. Susan

      Same – check what version OS your print server is. If you have any Windows Server 2008 R2 servers, it will actually remove the driver from the printers at the host level and it’s a pain to try and get it put back in place. You have to remove the registry setting (set to 0) to install the driver, then reset the registry back to 1 after (to lock it back down). And oh by the way, it re-breaks after a reboot again.
      So far the only thing we’ve gotten back from MS is that they have no resolution at this time, and it’s a global impact. Rolling this up into a multi-critical update was a terrible idea. The only fix at this time is to update the OS. And when you have a large enterprise, that’s not easy.

  8. Barb Coenen

    So I’m resetting my Acer laptop for the 2nd time to try to get it working after the Aug 2021 update bombed in the middle of updating. Black screen with the blue circle for 2hours. I was planning on working for a living – remote – but guess that isn’t happening today. I have hours into trying to get this 1year old laptop to work. Not pleased.

Comments are closed.