[German]Microsoft has commented on reports that the unscheduled updates to close the PrintNightmare vulnerability CVE-2021-34527 in the Windows Print Spooler service would not eliminate all risks. The message is that if the special updates are installed and Windows is configured and operated properly, there is no known scenario that would allow exploitation of the vulnerabilities. As a follow-up, here is an overview of this issue.
The PrintNightmare vulnerabilities
There were various vulnerabilities in the Windows Print Spooler service that were supposed to be closed with the regular June 2021 security updates (see Patchday: Windows 10-Updates (June 8, 2021)). However, at the end of June 2021, it turned out that the June 8, 2021 security updates didn't really work. There was a new vulnerability (CVE-2021-1675) in the Windows Print Spooler service that allowed remote code execution (RCE). These vulnerabilities allow attackers to execute arbitrary code with SYSTEM privileges. Through an unintentionally published proof of concept (PoC), there have already been initial attacks against the vulnerability.
I had reported early on the vulnerability in the blog post PoC for Windows print spooler vulnerability public, high RCE risk. As of July 6 and 7, 2021, Microsoft then released unscheduled updates for the supported versions of Windows (see article links at the end of the post). However, there were several problems with the updates for the various Windows versions. Once there were indications that the patch was ineffective because the fixes could be bypassed. In addition, collateral damage occurred during the update installation, which I read about in the blog post The Chaos PrintNightmare Emergency Update (July 6/7, 2021). The issue with some label printers were then fixed for Windows 10 version 2004 and later by Microsoft (see Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR).
Microsoft comments on security
Due to discussions that the updates would not fully fix the vulnerabilities in the Windows Print Spooler service, Microsoft then spoke out in a separate blog post on July 8, 2021. The following tweet points to this article.
Microsoft explicitly refers to the discussions after the out-of-band (OOB) updates to close the vulnerabilities and addresses the suspicion that the updates still leave vulnerabilities open. To that end, Microsoft writes that all research has shown that the OOB security update works as intended. It is effective against the known printer spooling exploits and other public reports grouped under the name PrintNightmare.
All of the reports questioning its effectiveness that Microsoft investigated were based on changing the default registry setting related to Point and Print, which then lead to an insecure configuration of the system. In the article, Microsoft states that the patches do not cause any changes to Point and Print registry settings. Administrators should therefore review the following registry settings. In the key:
the 32-bit DWORD values NoWarningNoElevationOnInstall = 0 and UpdatePromptSettings = 0 must be set to ensure safe default operation. This is the same if the key or DWORD values are missing. If the values are present and not set to 0, the default configuration has been changed and the system is insecure.
Patchday: Windows 10-Updates (June 8, 2021)
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Cookies helps to fund this blog: Cookie settings
0Patch issued a patch for this on July 5th.
No fuss, no muss, no unsightly hair-ripping.
I'm sold on these guys, i.e. Acros. My days of unpatching the patch that was supposed to patch the patch that unpatched the….oh, you get it.
I mentioned this – see the link list at the article?s end. But many people refuse to use 0patch and "trust" in Microsoft. Just a funny fact.
Danke. Old eyes, late night. :)
"But many people refuse to use 0patch and "trust" in Microsoft."
O, I trust them…about as far as I can throw a grand piano.
Nice article, well cited.
though let's see if the newly released Jul. 13 security updates like KB5004237 for Win10 v2004/20H2/21H1 fare better than the out-of-band updates like KB5004945