Microsoft Releases Emergency Security Fix for PrintNightmare Flaw - Update Now

Microsoft Releases Emergency Security Fix for PrintNightmare Flaw - Update Now

On July 7, this patch was updated to clarify that it does not fix the local privilege escalation flaw, and on July 8, this patch was updated to note that it does not work at all on certain enterprise server configurations.

Microsoft today (July 6) distributed an emergency patch to fix a very serious print spooler flaw that was accidentally released last week.

The flaw, commonly known as "PrintNightmare," is cataloged as CVE-2021-34527 and allows hackers to remotely take control of Windows systems. Deployments of Windows on servers and in the enterprise are particularly vulnerable to attacks that take advantage of this flaw, but any computer running anything from Windows 7 to the latest version of Windows 10 can be attacked.

To install today's update, run Windows Update on a Windows 10, 8.1, or 7 machine; for Windows 10 users, depending on the build, see Knowledge Base (KB) articles KB5004940, KB5004945, KB 5004946, and KB5004947; for Windows 8.1, the Knowledge Base references KB5004954 and KB5004958; and for Windows 7, KB5004951 or KB5004953. More information is available in this Microsoft security bulletin.

Once the update is downloaded, you will be prompted to restart your machine to install the patch.

If you do not think you need to install the patch, start PowerShell and type "Get-Service -Name Spooler" to see if the print spooler is running. (If you are printing documents regularly, it is probably running.) If you do not know what PowerShell is, do not run this.)

You can disable Print Spooler by typing the following into PowerShell in order:

However, as Microsoft warns, "Disabling the Print Spooler service will disable printing both locally and remotely." If you are a serious gamer who hasn't touched a sheet of paper in the last three years, this may not matter.

The rest of us will just want to install the patch to keep printing. However, there is a small downside to patching. It makes it more difficult for non-administrative users to install print drivers that are not "signed" by the manufacturer.

This should not be a major setback since the software that comes with most printers must be installed by an administrator anyway. If you want to allow a limited number of users to install unsigned software on their machines (a bad idea), Microsoft shows here how to adjust the registry to make it possible.

The saga of PrintNightmare may be laughable in a few weeks after everyone has patched their systems. The short version is that Microsoft fixed a very similar Print Spooler flaw in the June Patch Tuesday update released on June 8, and increased the severity of that flaw on June 21.

A Hong Kong security firm saw the notice of the increased severity and assumed that Microsoft had fixed the flaw that the security firm had (presumably) privately disclosed to Microsoft. The security firm was planning to disclose the flaw at the Black Hat USA security conference in Las Vegas next month.

However, after Microsoft supposedly fixed the flaw, the security firm posted a proof-of-concept exploit (essentially a demonstration of how to launch an attack using the flaw) on Twitter on June 28.

Oops. Turns out Microsoft patched another flaw, and the Hong Kong company's exploit worked fine on a fully patched system.

The Hong Kong company quickly deleted the tweet, but the secret got out. This story is covered in detail here.

In our haste to get this story up late Tuesday, we neglected to read between the lines of Microsoft's security bulletin and noticed that our friends in Redmond only mention "a remote code execution [RCE] exploit in the Windows Print Spooler service." I noticed that it only referred to "a remote code execution [RCE] exploit in the Windows Print Spooler service. "

There is a second way to exploit CVE-2021-34527. That is to gain a foothold on the machine, elevate its "privileges" and take control. In information security parlance, this is a Local Privilege Elevation (LPE) flaw. This flaw has yet to be fixed.

The LPE flaw is slightly less serious than the RCE flaw. This is because the latter allows anyone to hack a machine via the Internet, whereas the former requires physical or at least local network access. However, malware that infects a machine by other means can use the LPE flaw to hijack the system.

As the above tweet indicates, Windows 10 machines are a bit more protected against this particular LPE flaw because an optional service must be turned on to allow exploits; Windows 7, 8, and 8.1 are more vulnerable.

Also, at the end of Microsoft's bulletin it says: "Updates are not yet available for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012. Security updates for these versions of Windows will be released shortly. [Update: These security updates were released late July 7. See below]

Windows 10 version 1607 was released in August 2016 and those still using it are advised to upgrade to the newer version unless they have a specific reason to stay on 1607.

Benjamin Delpy, a French white-hat hacker, has found that even after applying the PrintNightmare patch, certain optional settings on Windows systems that are usually only found in enterprise (corporate and other large organizations) environments He demonstrated Wednesday (July 7) that the remote control execution flaw is still possible if it is enabled.

This is a feature that allows endpoint clients (desktops and laptops at work) to more easily install printers on the local network without the hassle of manually installing printer driver software.

The machine must also be configured to bypass two security safeguards that alert the end user if the software "elevates" privileges and gains more control over the Windows system than expected.

All three of these settings generally weaken the overall security of the machine, whether or not it is exposed to PrintNightmare, and are not typically found on home Windows computers.

Point and Print is not even installed, let alone enabled by default on most PCs. We could not find it on our own PCs running recent builds of Windows 10 Home.

On July 7, Microsoft updated its security information in light of Delpy's discovery. It states:

"To protect your system, you must ensure that the following registry settings are set to 0 (zero) or not defined (Note: These registry keys are not present by default and are already set to secure).

Microsoft also stated that on July 7, "security update[s] for Windows Server 2012, Windows Server 2016, and Windows 10, version 1607 were released."

.

Categories