As a Microsoft Patch Lady, I have been patching computers and servers for over 20 years. We started with a process that was not well planned. We didn’t have a set date and time for patch release, and no way to centrally manage and deploy updates. Over the years, Microsoft has shifted to a more reliable deployment plan and the ability to handle updates through platforms ranging from Windows Update to Windows Software Update services to cloud services.
So things should be better now, right? We have had 20 years to get it right.
And yet, here is what I saw regarding the fixes over the past week.
We are now in three months and have persistent printing issues caused by fixes. (This month included yet another fix for another print spooler vulnerability.) I’ve seen companies dealing with new side effects that directly impact printing and, interestingly, these are companies that have not had any issues with previous updates. This month, Windows 10 peer-to-peer networks appear to be the most affected. (FYI: The trigger for all of these printer issues seems to be the older Type 3 printer drivers. Switching to Type 4 drivers may help if that is an option for you.)
I’ve seen some users do the following to get printing to work on a Windows 10 network only:
- Remove the printer on the client PC.
- Add a user to the Credentials Manager on the client PC for the server PC with administrative privileges.
- Create an administrator user on the server PC or use an existing one. (I haven’t had success with just a standard user.)
- Make sure the credential manager username contains the server PC name in front of the username like this: ServerPCNAME UserName
- Restart the print spooler service.
- Open an administrative command prompt and run the following command to launch the printer installation user interface as administrator: —rundll32 printui.dll, PrintUIEntry / il
Others have used a registry setting to bypass RPC authentication protection. But this opens your computer to possible attacks, as it disables the patch’s protections. Some users have deleted KB5005565, but that’s where the patch problem lies, even after 20 years: if you remove one patch, you open yourself up to attack from other unpatched vulnerabilities. Concrete example: if you delete the update of this month, you open to the MSHTML vulnerabilities which are used in ransomware attacks. What if printing issues are not resolved by Microsoft Following month? You either have to find your own workaround or risk not being fixed.
Obviously, not being corrected is not the answer. But when some of the affected printers include point-of-sale workstations and registry tapes, not printing isn’t really a solution.
Years ago, Microsoft offered specific updates for each individual security issue. This has led to a very fragmented deployment of updates. Often times, when a customer called Microsoft with an issue after installing updates, the support team would find that customers were behind in installing other fixes, missing key updates. that would solve the problem. The main problem was not the security patch, it was the customers who were missing other key updates. Microsoft therefore switched to the cumulative update model to ensure that all clients were on the same operating system and had the same base.
While Windows 7 and 8.1 still have the option to install security-only updates, Windows 10 has the update-only model. (Windows 11, due October 5, will also be cumulative.) This means that if you’re having issues with this month’s updates and skipping them, they might not be fixed in the future. updates for the next month and you are faced with the same situation again.
If you think moving everything to the cloud is the solution, guess again. Recently, the security company WIZ pointed out that in every Linux virtual machine deployed in the Azure cloud, Microsoft places a monitoring agent on the virtual machines. These agents have a vulnerability. No problem, Microsoft can just fix it for you, right? Well like The register points out, you must correct this problem, not Microsoft. Although it plans to provide resources to automatically correct these agents, this tool is not yet available.
But surely if you just patch your Microsoft software, that will be enough to keep the ransomware at bay, right? Wrong. Researchers have accumulated a list of all software vulnerabilities used in ransomware attacks. It turns out that attackers not only attack Microsoft software, but also use other entry points. Sonicwall firewall systems have been the target of ransomware attacks. Network storage options such as QNAP and Synology have been targeted. Even virtual private network software such as Fortinet has been used to gain unauthorized access to a network.
Since attackers look for entry points into networks wherever they find them, everything from workstations (Microsoft), to storage devices (NAS units) and peripherals (firewalls and VPN software), should be monitored at all times for updates. And do you have a solution to monitor and correct all of this? (You should.)
Coming back to where I started, it’s been twenty years and it looks like we’re not making any progress at all. We always seem to go around in circles trying to fix and trying to stay one step ahead of the bad guys. So what can we do? Contact all of our suppliers and ask them to do better. They need to make sure that key devices update and correct themselves automatically. They need to understand better that just installing updates won’t work if they cause headaches and side effects that block key issues like printing.
We must do better. Salespeople need to do better. Two decades later, the attackers are still on the attack.
Copyright © 2021 IDG Communications, Inc.