Nowadays, cyber-attack prevention is a no-brainer, unless you’ve been living under a blissful rock. Our IT infrastructures and software systems keep the wheels turning in our day-to-day businesses, and the costs of outages and downtime are extreme, sometimes putting us at risk of losing over $1 million. So, we test and implement regular cybersecurity patches. We keep our systems up to date by managing all the software updates and ensuring they’re rolled out on time. You’ve followed all the experts’ advice and done everything correctly and by the book, so you should be covered, right? We regret to inform you, that’s not always the case.
Security 101
It’s important to know that standard virus protection does not protect against unpatched vulnerabilities. That’s why cybersecurity bodies like the Cybersecurity and Infrastructure Security Agency (CISA) often say that applying cybersecurity patches that fix known vulnerabilities is one of the best cyber-attack preventions. However, there are other times (and unfortunately, they are becoming more and more common) where system vulnerabilities are not yet known and so we haven’t had the chance to test and roll out patches for them. These types of vulnerabilities are referred to as ‘Zero-day’.
Zero-day vulnerabilities are very valuable to threat actors because of the potential damage they cause. They can be found on the dark web and sold for hundreds of thousands of dollars. Zero-day threats often need immediate patches that can’t be fully tested. Odds are low, but patches, like the ones that haven’t been tested, can and do wreak havoc, several times a year. Vendors don’t have access to every environment. They can model the most common and test for days, weeks, or months, but sometimes that still isn’t enough. The issue is that every customer’s environment is different, and there could be something dependent on the same defect that’s patched.
I Pity the Spool
A July 2019 real-world example of a patch gone wrong is a group of vulnerabilities affecting all versions of the Windows Print Spooler called ‘PrintNightmare’. PrintNightmare is a vulnerability in the PrintSpooler service which allows an attacker to execute code remotely and leverage privileges locally. When this happens, the attacker gets into the system and writes whatever code they want for installing unwanted programs, viewing, changing, and deleting data, creating new user accounts, etc.
Microsoft’s emergency patches tried to address this vulnerability by changing the behavior as noted in the release notes for the patch (known as KB5005652). However, because there wasn’t a lot of time to effectively test the patches before rolling them out to the public, they ran into some problems.
PrintNightmare is a Real-Life Nightmare
Shane Boyett, a Sr. Systems Engineer at BT Partners says, “By default, non-administrator users are no longer be able to use Point and Print without administer privileges.” That equals A LOT of non-administrative people unable to print documents. Now, many printers are suddenly down and there aren’t nearly enough administrative privileged staff to help everyone in the office.
There’s a heavy reliance on printing at work, so you can imagine how many people were impacted and the chaos that ensued right after this patch rolled out. We envision there might have been a few ‘Office Space’ printer scene daydreams. These problematic patches resulted in productivity loss measured in hours, maybe days, while an unpatched system compromise is measured in days to weeks, plus data exposure, and ransom. This is a lose-lose situation because if you followed cyber-attack prevention rules and implemented the patch, productivity was lost, and if you didn’t, you’re running a very high risk of an equally expensive cyberattack. While Microsoft sent out subsequent patches to try and fix the issue, the changes to the Print Spooler make it challenging to deploy printers to this day, three years later.
Our Managed Services experts definitely encourage implementing patches as recommended, but we also want you to be aware of the possible operational impacts and test as much as you can prior to the rollout. Securing your network and systems is vital to maintaining operational efficiency and minimizing security threats. Reach out to our managed IT services department if you’re looking for solutions that help reduce the risks of a costly interruption in your business.