Overshadowed by one of the largest ransomware attacks in history involving Managed Service Provider (MSP) Kaseya that launched Independence Day weekend, Microsoft’s newest zero-day vulnerability known as PrintNightmare quickly faded from view. With the disruption in gas supply that sparked panic buying when Colonial Pipeline was attacked, followed by the attack on JBS, a Brazilian meat processing company and top beef producer in the United States, awareness of ransomware has grown in the consciousness of the American public. Ransomware attacks have risen to the level of political discourse between nations. Most notably between U.S. President Joe Biden and Russian President Vladimir Putin. While reporting is focused on the incident responders grappling with the attack on Kaseya, speculation of culpabilities, and the morality of victims paying ransoms, Microsoft was gifted precious time to undertake damage control. Amid the mass confusion of its own making, Microsoft effectively downplayed a dangerous zero-day vulnerability. Such vulnerabilities can be exploited with little or no warning while computer networks are still unprotected from them. They are flaws in operating system or application software abused by bad actors to gain illicit access to computers and networks. Once inside a network, zero-day vulnerabilities can facilitate the spread of malicious software from one computer to the next. Microsoft released emergency security updates for PrintNightmare while still cloaked in the fog of misdirection, and in so doing, subtly changed the narrative, shifting responsibility to its customers.
Microsoft has weaponized the catch phrase “by design” for decades to at once blame shift, cultivate a myth of omniscience, and use it as a cudgel to stifle unwanted questions or dissent. In the case of PrintNightmare, the emergency release of security updates does indeed close the officially known vulnerabilities in the Print Spooler service for all modern versions of their operating system—except when a feature called “Point and Print” is enabled. Microsoft now asserts that Point and Print is insecure by design. Aside from the absurd position that a commercial product feature was designed to be insecure is the implication that anyone with the temerity to use it is to blame for any future exploit gaining a foothold. There is a thorny catch, however. To remediate the PrintNightmare vulnerability completely requires an “opt-in” to avoid an insecure Point and Print configuration or disable the Print Spooler service altogether. Both are incumbent upon the customer or end user to perform a definitive action. These factors make it less likely that the requisite actions will happen at all or in a timely manner and thereby conspire to prolong the risk exposure, which is considerable.
According to Statista, the Microsoft Corporation had 163,000 full-time employees, a market capitalization exceeding $1 Trillion, and revenue of $143 Billion in fiscal year 2020. It operates in the rarified air occupied by only a small cadre of tech sector giants. Microsoft dominates the desktop operating systems market with a market share of 75%, and it is the leader in the server operating system market with a market share of 48%. Expecting Microsoft to be a dutiful servant leader, it would seem, is too much of a stretch given their size, market leader position, and corporate culture. Azure and Office 365, Microsoft’s cloud offerings, are where the excitement and prospects are today. Interest in their advances eclipse the—mundane by comparison—Desktop and Server software segments of its business. That is not to say that maintaining the myth is unimportant. Quite the contrary. Microsoft continues to perpetuate its brand and cultivate evangelists among its customer bases. Word of mouth and personal influence are everything in the world of information technology.
Microsoft evangelists are easy enough to recognize. They are outspoken in their support for all things Microsoft. Always it is the new product, license, or service that will solve all our problems. Less obvious are the deleterious effects, especially on cybersecurity, caused by an almost blind faith in the perception, the myth, of Microsoft. A subtle albeit successful religious indoctrination of sorts—a belief system held by many that Microsoft understands the vast complexity of its products and will, in the end, take care of us. However, this belief system indirectly affects the way that we perceive risks and make decisions about those risks. The problem is best illustrated by an amusing version of the Lottery Prayer. It goes something like this:
A man goes to church and prays, “God, please let me win the lottery. Just once, please let me win the lottery.” This goes on week after week, month after month, “God, please let me win the lottery.” One day this majestic voice booms down from above, “Meet me halfway, buy a ticket!”
There is the rub. Having faith does not preclude taking an action necessary to receive the gift. As it goes in the Lottery Prayer, so too it can go with Microsoft and cybersecurity. We see this in the case of the PrintNightmare experience.
While assimilating the raw intelligence on the PrintNightmare proof of concept exploit and its variants, it rapidly became clear that PrintNightmare posed a severe threat. Advanced notices were sent to infrastructure groups and security teams well before any information became available through official channels. Those early warnings of the danger posed by PrintNightmare should have been seen as a clarion call to security administrators to finally disable the Print Spooler service where it was not needed—indeed all nonessential services. Yet, indications are that it was not. The response was instead a lackadaisical claim that CVE-2021-1675 (then confused with PrintNightmare) had already been patched with the June 8, 2021, release of security updates. Implicit in their decision to take no further action was the unspoken belief that Microsoft understood the problem and had already taken care of it. In their calculus, there was no need to worry, no alarm, and no impetus for further scrutiny and validation. But, of course, Microsoft had not taken care of it.
It was not until a week later when Microsoft began releasing emergency security updates for CVE-2021-34527, the actual patch for PrintNightmare, that Microsoft had taken care of it. Meanwhile, exploits were already being reported in the wild. The emergency patches for PrintNightmare are still being deployed this week while recommended remediations were not fully implemented. Not to be overly pedantic, but the zero-day aspect of the PrintNightmare exploit was realized while mitigations and patches were absent last week. Those mitigations that were implemented when there was no patch were the bare minimum mandated by an organization.
PrintNightmare was its own gift, an opportunity for server administrators to avoid all future vulnerabilities in the Print Spooler service. All that had to be done was to disable the Print Spooler service and/or remove the feature altogether from the operating system. Commit the resulting configuration to a new baseline and close off an entire attack vector—done! The irony is that faith in Microsoft contributed to administrators not heeding their warnings to implement recommended remediations prior to the emergency patch release. Despite the way in which it was done, Microsoft nonetheless came through and did their part to avoid a calamity. But the work is left undone, at least in part, due to unexamined belief systems. To assure that the PrintNightmare vulnerability is fully remediated, administrators must complement Microsoft’s efforts with appropriate actions to validate their configurations and correct them as may be required. Without that follow through, there may still be insufficient controls in place to protect computers and networks from attack or espionage using the PrintNightmare exploit.