In our conversations with hundreds of customers, they often initially start out thinking that they need to deliver a full desktop to their workers. When asked why, they typically don’t have a specific reason, or it comes down to “that’s the way it’s always been done.” While we understand that there are cases where a full desktop is necessary, the fact is that the vast majority of apps and use cases do not need it. In fact, often times utilizing a full virtual desktop causes more problems and complexity than is necessary. And that complexity often rears its head in the form of security issues.
Which brings us to the latest Windows vulnerability. As of June 30th a critical Windows Print Spooler vulnerability was revealed which allows trusted users (and by extension any malware they might unknowingly have on their devices) to become system-level administrators. This vulnerability is referred to as “PrintNightmare” and the flaw is confirmed to impact all versions of Windows for clients and servers, including Windows 7, 8.1 and 10, as well as Windows Server 2004, 2008, 2012, 2016 and 2019.
At Microsoft’s urging, millions of Windows users have been urgently updating devices this week as a result. Our CTO Eyal Dotan, who has decades of security experience and 12 security patents under his belt, helps sheds some light on why Virtual App Delivery (Cameyo) is much less susceptible to these vulnerabilities as compared to VDI (Citrix, Parallels) or DaaS (Azure Virtual Desktop).
First, let’s start with the official statement from Microsoft for context:
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
As of July 6th, Microsoft has released security patches to address the vulnerability on all systems – even Windows 7. Here are the latest updates:
UPDATE: July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.
UPDATE: July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.
The Potential Impact for Virtual Desktops vs. Virtual App Delivery
As part of the world continues with remote work and much of the rest of the world shifts to hybrid work, it’s important to consider the security schema of the platforms you rely on to ensure the productivity of remote & hybrid workers. In the case of this Windows Print Spooler “PrintNightmare” vulnerability, there is a distinct difference in how this impacts Virtual Desktop Infrastructure (VDI) users compared to the Virtual Application Delivery (VAD) approach.
With Virtual App Delivery, users have access solely to the apps they need to do their job. There is a distinct separation between where users browse and do their general Internet activities and the location of their business-critical applications and data. This helps protect against users falling prey to malware that exploits this type of breach within a Cameyo VAD session.
Regarding malicious users who’d want to become system admins using the PrintNightmare vulnerability, this is something you can do quite easily in a classic virtual desktop environment (VDI / VDS / WVD). However, on Cameyo Virtual App Delivery servers, system access is never exposed to the user. So this is again blocked and protected against.
In terms of potential consequences, let’s start with Cameyo’s VAD approach. With Cameyo, user data remains on servers only when the session is ongoing, and it is wiped when that session ends. So even if ransomware were to be brought by a malicious user and somehow bypass the protections above, it still wouldn’t find any of the data troves they’d target to steal/take ransom on, because they’d only have access to the data of that particular live session, and that would be ended & wiped once the user closed the session. This is not the case with VDI.
In addition, at Cameyo we automatically patch and maintain Windows systems and components during predefined maintenance timeframes where we can systemically update servers while they are ‘at rest’, without ever causing any work interruption.
To learn more about Cameyo’s foundation of Zero Trust security and the various security technologies that make Cameyo one of the most secure ways to deliver applications to users in a hybrid or remote work environment, take a look at this post: Why Security Must Be Designed Into the Core of Your Digital Workspace.