As a Microsoft Patch Lady, I’ve been patching computers and servers for more than 20 years. We started with a process that wasn’t well planned. We had no set day or time for when patches were released, and no way to centrally manage and deploy updates. Over the years Microsoft has moved to a more dependable deployment plan and the ability to manage updates through platforms ranging from Windows Update to Windows Software Update Services to Cloud services.
So things should be better now, right? We’ve had 20 years to get this right.
And yet, here’s what I’ve seen regarding patching in just the last week.
We are now on three months and counting of continuing issues with printing caused by patches. (This month included yet another fix for another print spooler vulnerability.) I’ve seen businesses dealing with new side effects directly impacting printing and, interestingly enough, these are businesses that didn’t have problems with earlier updates. This month, Windows 10 peer-to-peer networks appear to be the most affected. (FYI: The trigger for all of these printer issues seems to be older Type 3 printer drivers. Moving to type 4 drivers might help if that’s an option for you.)
I’ve seen some users do the following to get printing to work on a Windows 10-only network:
- Remove the printer on the client PC.
- Add a user to the credential manager on the client PC for the server PC that has administrative privileges.
- Create an admin user on the server PC or use an existing one. (I have not had success with just a standard user.)
- Make sure credential manager user name contains the server’s PC name in front of the user name like this: ServerPCNAME\UserName
- Restart the print spooler service.
- Open an administrative command prompt and run the following command to launch the printer install UI as an administrator: —rundll32 printui.dll,PrintUIEntry /il
Others have used a registry setting to bypass RPC authentication protection. But that opens up your computer to possible attacks, as it disables the protections of the patch. Some users have removed KB5005565, but therein lies the problem with patching, even after 20 years: If you remove one patch, you open yourself up to attacks from the other unpatched vulnerabilities. Case in point: if you remove this month’s update, you open yourself up to the MSHTML vulnerabilities that are being used in ransomware attacks. And what if the printing issues aren’t fixed by Microsoft next month? You either need to find your own workaround or risk going unpatched.
Clearly going unpatched is not the answer. But when some of the affected printers include point-of-sale workstations and register tapes, not printing isn’t really a solution.
Years ago, Microsoft used to offer specific updates for each individual security issue. This led to a very fragmented deployment of updates. Often when a customer would call into Microsoft with an issue after installing updates the support team would realize customers were behind on installing other patches — thus missing key updates that would solve the problem. The root problem wasn’t the security patch, it was customers missing other key updates. So Microsoft moved to the cumulative update model to ensure that all customers were on the same operating system and had the same core foundation.
While Windows 7 and 8.1 still have an option to install security-only updates, Windows 10 has the cumulative-only patching model. (Windows 11, due on Oct. 5, will also be cumulative.) That means if you have issues with this month’s updates, and you skip them, they may not be fixed in next month’s updates and you may face this same situation again.
If you think that moving everything to the cloud is the answer, guess again. Recently, security firm WIZ pointed out that in each Linux virtual machine deployed in Azure cloud, Microsoft puts a monitoring agent on the virtual machines. These agents have a vulnerability. No problem, Microsoft can just patch it for you, right? Well, as The Register points out, you have to patch for this issue, not Microsoft. While it plans to provide resources for patching such agents automatically, that tool isn’t yet available.
But surely if you merely patch your Microsoft software, that’s enough to keep ransomware at bay, right? Wrong. Researchers have accumulated a list of all the software vulnerabilities used in ransomware attacks. It turns out attackers are not only going after Microsoft software, but using other entry points as well. Sonicwall firewall systems have been targeted in ransomware attacks. Network attached storage options such as QNAP and Synology have been targeted. Even virtual private network software such as Fortinet has been used to gain illicit access to a network.
Since attackers are looking for entry points into networks wherever they find them, anything from workstations (Microsoft), to storage devices (NAS units), to edge devices (Firewalls and VPN software), should be monitored at all times for updates. And do you have a solution to monitor and patch all of those? (You should.)
Back to my original point, it’s twenty years on and it doesn’t seem like we’re making headway at all. We’re still seemingly running around in circles trying to patch and trying to keep one step ahead of the bad guys. So what can we do? Reach out to all of our vendors and ask them to do better. They need to ensure that key devices are auto updating and self correcting. They need to do a better job in understanding that merely installing updates won’t work if they cause headaches and side effects that block key issues like printing.
We have to do better. Vendors have to do better. Two decades later, the attackers are still on offense.
