Hello, welcome to this somewhat special edition of the Sansa and Storm Center's Stormcast.

This is for Friday, July 2nd.

Now, I mentioned that I wasn't going to produce a podcast for Friday this week because of the July 4th holiday.

But I want to do a quick podcast, just summarizing what we know for now about

this Brent nightmare vulnerability. And late yesterday we finally did get an official statement

from Microsoft about this vulnerability. So we do have a new CVE number now and also some advice from Microsoft directly as to

how to mitigate this vulnerability.

So first of all, the new CVE number is CVE 2021-34-5227.

The original one was CVE 2021-52-7. The original one was CBE 2021-1675. If you remember, that original vulnerability was patched with the June 6th patch Tuesday update. So Microsoft decided to assign this vulnerability a new CBE number as it's pretty much a

different issue than the issue that was patched in June. Also, as part of the show notes,

you'll see links to various references. That's pretty much where I pulled the information from for this

podcast. And let's start with the nature of the vulnerability. So the problem here is a function

that allows you to add a printer driver. This is typically only allowed for administrators or print operators. And administrators

and print operators are able to do so remotely. So if you have a remote print spooler,

these two groups are authorized to add a printer driver. And of course, printer drivers,

they are DLs, they are code,

and that code runs as a system.

The problem here is that due to a flaw in how they actually figure out who is authorized

to add a printer driver, any user is actually able to add printer drivers.

And this is what this vulnerability and this exploit is all about.

Normal user is able to connect to the print spooler

and able to call this RPC add printer driver function and add

...