Microsoft Patch Tuesday (August 2021)

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057

Microsoft August 2021 Patch Tuesday fixes 3 zero-days, 44 flaws​

Today is Microsoft's August 2021 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities and a total of 44 flaws, so please be nice to your Windows admins as they scramble to installed patches.

Microsoft has fixed 44 vulnerabilities (51 including Microsoft Edge) with today's update, with seven classified as Critical and 37 as Important.

Of the 44 vulnerabilities, 13 are remote code execution, eight are information disclosure, two are denial of service, and four are spoofing vulnerabilities.

Microsoft fixes PrintNightmare and PetitPotam attacks​

Microsoft has released security updates for two eagerly anticipated zero-day vulnerabilities that were discovered over the past month.

One of the security updates fixes the PrintNightmare vulnerabilities that allow threat actors to gain SYSTEM level privileges simply by connecting to a remote print server under their control. Microsoft has fixed this vulnerability by requiring users have administrative privileges to install printer drivers using the Point and Print Windows feature.
You can find more detailed information about the PrintNightmare vulnerability and the Point and Print mitigations in a dedicated article published today.

Microsoft also fixed the PetitPotam NTLM relay attack vector that uses the MS-EFSRPC API to force a device to negotiate with a remote relay server under an attacker's control.
A threat actor with low privileges could use this attack to take over a domain controller and thus the entire Windows domain.

Three zero-days fixed, with one actively exploited​

August's Patch Tuesday includes three zero-day vulnerabilities, with one actively exploited in the wild.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official security updates or released.

The two publicly disclosed, but not actively exploited, zero-day vulnerabilities are:
The CVE-2021-36942 vulnerability is associated with the PetitPotam NTLM relay attack vector that allows the take over of domain controllers.

Finally, one actively exploited elevation of privileges vulnerability was discovered by the Microsoft Security Response Center (MSRC) and Microsoft Threat Intelligence Center (MSTIC).
  • CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability
It is unknown how threat actors used this vulnerability in attacks at this time.
 
Last edited:

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057

Windows 10 KB5005033 & KB5005031 cumulative updates released​

The August 2021 Patch Tuesday is out and Microsoft has published several new cumulative updates (KB5005033 & KB5005031) for recent versions of Windows 10. Today's cumulative updates include security fixes for PCs with May 2021 Update, October 2020 Update, and May 2020 Update.

The update is rollout via Windows Update, WSUS and Microsoft Update Catalog with numerous bug fixes and performance enhancements.

Like every Windows Update, you can open Settings, click on Windows Update, and select 'Check for Updates' to install the updates.

If you own multiple PCs or if you would like to patch the PCs manually, you can learn more about it here.

What's new in Builds 19043.1165, 19042.1165 and 19041.1165​

With KB5005033, Microsoft is updating Windows 10 21H1 to Build 19043.1165 with security and non-security improvements. The company fixed an issue that prevents power plans and Game Mode from working as expected. This results in lower frame rates and reduced performance while gaming. Another bug has been fixed that causes the File Explorer window to lose focus when you are mapping a network drive.

It also comes with the following fixes:
  • Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. If you use Point and Print, see KB5005652, Point and Print Default Behavior Change, and CVE-2021-34481 for more information.
  • We fixed an issue with searchindexer. After you sign out, searchindexer continues to hold handles to the per user search database in the profile path, “C:\Users\username\AppData\Roaming\Microsoft\Search\Data\Applications\\”. As a result, searchindexer stops working and duplicate profile names are created.
  • We fixed an issue that prevents gaming services from opening certain games for desktop users.
  • We fixed an issue that prevents you from entering text using the Input Method Editor (IME). This might occur, for example, after startup if you have set the power options to shut down a laptop by closing its lid.
  • We changed the functionality for uploading new activity into Timeline. If you sync your activity history across your devices using your Microsoft account (MSA), you cannot upload new activity into the Timeline. You can still use Timeline and see your activity history (information about recent apps, websites, and files) on your local device. This does not affect Azure Active Directory (AAD) accounts. To view web history, Microsoft Edge and other browsers provide the option to view recent web activities. You can also view recently used files using Microsoft OneDrive and Microsoft Office.
  • We fixed an issue that might cause the File Explorer window to lose focus when you are mapping a network drive.
  • We fixed an issue that causes File Explorer to stop working after reaching 99% completion when you are deleting many files on a mapped network drive.
  • We fixed a timing issue in the Group Policy Registry Telemetry that causes Group Policy extension processing to fail.
  • We fixed an issue that repeatedly rebuilds the Windows Filtering Platform (WFP) filters. This issue occurs when a device is enrolled in a mobile device management (MDM) service and “MDMWinsOverGP” is set.
  • We fixed an issue with an MDM service that fails to correctly apply certain junk mail rules.
  • We fixed an issue that always reports the update build revision (UBR) as zero (0) on a device during enrollment to an MDM service.
  • We fixed an issue that causes the enrollment of the Elliptic Curve Digital Signature Algorithm (ECDSA) certificate to fail with the error, “0x80090027 NTE_INVALID_PARAMETER”. This issue occurs when the Trusted Platform Module (TPM) provider (the Microsoft Software Key Storage Provider) stores the key.
  • We fixed an issue with auditing events 4624 and 5142 that display the wrong event template when Dutch is the display language.
  • We fixed an issue that causes System Integrity to leak memory.
  • We fixed an issue that plays the sound for selecting something in a game loudly when you press the trigger button on a game controller.
  • We fixed an issue that prevents power plans and Game Mode from working as expected. This results in lower frame rates and reduced performance while gaming.
  • We fixed an issue in which “Network Internal Access” appears on the taskbar network icon on systems that access the internet from certain domains.
  • We fixed an issue in which the Network Connectivity Status Indicator (NCSI) fails to detect internet connectivity after you connect to a virtual private network (VPN).
  • We fixed an issue that causes printing to stop or prints the wrong output. This issue occurs when you print using a USB connection after updating to Windows 10, version 2004 or later.
  • We fixed a rare issue that might degrade performance in applications that call Gdiplus.dll!GdipMeasureString in a tight loop with a new font on each call. This issue occurs after installing Windows updates released on and after February 2021.
  • We fixed an issue that incorrectly routes some audio channels when streaming using certain fixed channel layouts.
  • We fixed an issue that always displays devices that RemoteFX USB redirects as “Remote Desktop Generic USB Device” instead of the actual device name.
  • We fixed an issue in which Set-RDSessionCollectionConfiguration does not set the camerastoredirect:s:value custom property.
  • We fixed a Local Security Authority Subsystem Service (LSASS) domain controller memory leak that is reported in Privileged Access Management (PAM) deployments.
  • We fixed an issue that prevents you from accessing a network drive that maps to a Distributed File System (DFS) root after you sign out.
  • We fixed an issue that prevents you from reconnecting to mapped network drives after you sign in and displays an access denied error. This issue occurs if you use the net use /deep option to create multiple drive mappings to different paths on the same encrypted file share.
  • We fixed an issue that prevents access to files on a Server Message Block (SMB) share when you enable Access Enabled Enumeration (ABE).
  • We fixed an issue that prevents the Windows Server service from starting if SrvComment is greater than 128 characters.
  • We fixed an issue in the Windows Network File System (NFS) client that might prevent you from renaming a file after mounting an NFS share. This issue occurs if you rename the file using File Explorer, but does not occur if you rename the file using command line.
  • We fixed an issue with an unhandled Open File dialog critical exception. As a result, Microsoft Foundation Class (MFC) applications might close unexpectedly.
  • We fixed an issue in which the Storage Sense page in Settings might incorrectly report the size of some storage devices that use the GUID Partition Table (GPT). The affected devices will incorrectly report in Storage Sense that the size is twice as large as the size reported in File Explorer. Note: This issue does not affect storage devices that use a master boot record (MBR).
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for August 2021

For August, Adobe released two patches addressing 29 CVEs in Adobe Connect and Magento. The update for Connect is rated Important and fixes a single security feature bypass and two cross-site scripting bugs. The Critical-rated patch for Magento fixes a wide range of bugs, the worst of which could allow remote code execution.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for August 2021

For August, Microsoft released patches today for 44 CVEs in Microsoft Windows and Windows components, Office, .NET Core and Visual Studio, Windows Defender, Windows Update and Update Assistant, Azure, and Microsoft Dynamics. This is in addition to seven CVEs patched in Microsoft Edge (Chromium-based) earlier this month. A total of eight of these bugs were submitted through the ZDI program. Of the 44 CVEs patched today, seven are rated Critical and 37 are rated Important in severity. This is the smallest release for Microsoft in 2021 and could be due to resource constraints since Microsoft spent so much time in July responding to events like PrintNightmare and PetitPotam. In fact, this is the smallest release since December 2019. It will be interesting to see if the September patch volume rebounds to triple digits or remains on the smaller side.

According to Microsoft, two of these bugs are publicly known and one is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s listed as under active attack:

- CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability
This bug could allow a local privilege escalation through the Windows Update Medic Service – a new feature introduced in Windows 10 designed to repair Windows Update components from damage so that the computer can continue to receive updates. An attacker would need to log on to an affected system and run a specially crafted program to escalate privileges. Microsoft does not say how widespread the attacks are, but they are most likely targeted at this point.

- CVE-2021-36942 - Windows LSA Spoofing Vulnerability
Speaking of PetitPotam, Microsoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface. This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn’t the last we’ll hear of this persistent issue.

- CVE-2021-36936 - Windows Print Spooler Remote Code Execution Vulnerability
Another month, another remote code execution bug in the print spooler. This bug is listed as publicly known, but it’s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug.

UPDATE: Microsoft has released KB5005652 to provide guidance on managing new Point and Print default driver installation behavior. This is an update for CVE-2021-34481, which was originally released in July, 2021. Sysadmins should review this KB along with applying the Print Spooler related updates in this release.

- CVE-2021-34535 - Remote Desktop Client Remote Code Execution Vulnerability
Before you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server. However, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.
Looking Ahead

The next Patch Tuesday falls on September 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Microsoft Windows Security Updates August 2021 overview
Microsoft has released security updates and non-security updates for its Windows operating system on today's Patch Day. Updates are available for all client and server versions of Microsoft Windows, as well as other company products such as Microsoft Office or Azure.

The overview that you are reading includes information and resource links to get you started quickly. It begins with an executive summary, which lists important details. The operating system distribution and list of cumulative updates for all Windows versions follow.

Our guide lists known issues as confirmed by Microsoft, links to security advisories, non-security patches, download information, and more resource links at the bottom of the page.
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
At this point, it would be unusual if a Windows 10 update didn’t bork a feature or two for some users. The severity of the problems vary, but the latest bug introduced by Microsoft is certainly an annoying one: it breaks the Alt-Tab function.

Windows Latest reports that some people who downloaded Windows 10’s July 2021 preview (KB5004296) and the August 2021 update (KB5005033) are finding their ability to use the helpful Alt-Tab feature has disappeared.

Alt-Tab, as we all know, allows users to jump between open apps and windows by holding down the Alt key and selecting one with Tab. Releasing Alt then switches to the highlighted screen. Most people use the function daily, and it's especially helpful if a program or game crashes.
 
F

ForgottenSeer 78429

I clean installed Windows 21H1 yesterday on my PC. It is downloading update KB5005033 since then and have used 3.6 GB data but still downloading. I have no idea why. Is anyone else facing this issue?
 
  • Wow
Reactions: show-Zi

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Windows 10 Cumulative Update KB5005033 is breaking Alt+Tab for some – here’s the easy fix
The Windows 10 Alt+Tab keyboard shortcut is a staple of the operating system, but some users are reporting issues with the feature after installing the August 2021 Cumulative update (KB5005033 ).

“It breaks Alt-Tab switching games that run in “full screen” mode. Switching to such games gives you a black screen and no way to return to the game. Again uninstalling this update reverts to normal working behaviour,” said one user on the Feedback Hub.

“Furthermore, Windows 10 under this update sometimes Alt-Tabs out of the fullscreen game immediately after starting up the game from Steam. Basically, the fullscreen game now starts up minimized on my taskbar. If I try to click the game to go to its fullscreen mode, Win10 immediately alt-tabs from the fullscreen and I’m back to square one,” complained another.

Uninstalling the Cumulative Update fixes the issue, but there is an even easier fix.

For some reason, Microsoft’s News and Interest taskbar widget is involved in the issue, and disabling the superfluous gadget also appears to fix the problem.

To do that, right-click anywhere on the taskbar, scroll up to the ‘News and interests’ menu item and select ‘Turn off’.

The issue also appears to occur with the July 2021 preview optional update (KB5004296), and the same fix also works there.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057

Microsoft marks latest Windows printing issue as resolved (KB5005033)​

Microsoft acknowledged another printing related issue on Windows. After installing the August 2021 patches for Windows, e.g. KB5005033 or KB5005031, some users noticed that printing was causing issues on said devices.

1632036418751.png
Microsoft published a support page, KB5005652, which provides additional information on the issue.

The company changed how print drivers are installed or update as a consequence. Non-administrators can't install or upgrade print drivers using drivers from remote computers or servers without elevation of privilege to administrator.

Microsoft created a new Registry key to restore the old behavior.
  • Registry location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • Dword (32-bit) Value name: RestrictDriverInstallationToAdministrators
  • Value data:
    • The default value is 1; this requires administrative privileges to install or update print drivers when using Point and Print.
    • A value of 0 allows non-administrators to install drivers when using Point and Print.
Windows users in Point and Print environments have four options to install print drivers or updates of print drivers according to Microsoft by default:
  • Provide an administrator username and password when prompted for credentials when attempting to install a printer driver.
  • Include the necessary printer drivers in the OS image.
  • Use Microsoft System Center, Microsoft Endpoint Configuration Manager, or an equivalent tool to remotely install printer drivers.
  • Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057

How to fix the 0x0000011b printing errors​

To fix the recent 0x0000011b printing errors without removing the current Windows Updates (KB5005565), you can instead disable the CVE-2021-1678 mitigation enabled by default this month.

To do that, open the Windows Registry Editor and navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print key, create a new DWORD-32 bit value named RpcAuthnLevelPrivacyEnabled, and set it to 0, as shown in the Registry file below.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print]
"RpcAuthnLevelPrivacyEnabled"=dword:00000000
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top