Microsoft recently released details of three zero-day vulnerabilities. Nick Smith looks at the risks and how to protect your business.
At the time of publication, patch updates were not available, but workarounds for each zero-day vulnerability have been released to mitigate the risks.
Should we be worried?
Zero-day vulnerabilities are common, and it’s important to stay up to date with new announcements and patches from Microsoft or other providers. Cyber attacks can grind business to a halt, which could ultimately trigger financial losses, disruption of services and reputational damage. There are also regulatory implications, such as operational resilience for financial services firms, or the risk of high fines under the General Data Protection Regulation (GDPR) for the loss of personal data. Taking prompt action as part of a cohesive cyber security framework can help your organisation reduce these risks and continue to grow.
One of the more prominent announcements was a Remote Code Execution vulnerability, a flaw that would allow attackers to access a device regardless of geographical location, specifically affecting print spoolers aptly named PrintNightmare (CVE-2021-34481). This print setback could potentially give hackers access to user tools by running arbitrary code with system privileges, which would allow them to install programs and edit or delete user data. Users are advised to disable their print spoolers but should be aware that this will affect the ability to print locally and remotely.
HiveNightmare (CVE-2021-36934) is a comparable zero-day vulnerability that specifically affects registry hives. This is a result of permissive access control lists on multiple system files and the SAM database specifically, making HiveNightmare a severe vulnerability, which could elevate an attacker’s privileges to system admin rights and give access to all users’ files. This would grant a malicious actor unauthorised access to the organisations’ data, posing operational risks and potential data loss. To mitigate the risks, Microsoft advises users to restrict access to content where possible and delete volume shadow copies (VSS) to restore operations.
The third and final vulnerability announced by Microsoft relates to a security flaw that would grant attackers full access to the windows domain. Given the name ‘PetitPotam’ (ADV210003), this vulnerability is a result of a Windows New Technology LAN Manager (NTLM) relay attack, an issue that has been previously documented by Microsoft and is not a new threat to users. While there is currently no fix at the time of publication, there are suggested workarounds to avoid potential security risks.
Microsoft suggests that users activate Kerberos as an authentication protocol, however if NTLM is enabled on a network, then the system administrator must activate protections to prevent NTLM relay attacks. Those most vulnerable to attack are Windows domain controllers and servers that have NTLM authentication enabled on their domain and are using Active Directory Certificate Services (AD CS). Users should follow workaround procedures closely and be vigilant to limit all access to attackers.
Reducing the risk
As zero-day vulnerabilities emerge, it is a matter of time before cyber criminals develop an exploit. Ideally, a platform provider would provide a patch to protect businesses and end-users, but they can take time. While patches are being developed, it's important to implement the appropriate workaround as soon as possible to reduce the risk of unauthorised system access, with the associated reputational, financial and regulatory consequences.
For further information on the latest cyber threats contact Nick Smith.