Wednesday, July 7th 2021

PrintNightmare: Microsoft Issues Critical Security Updates for Multiple Versions of Windows

Remember that hideous, remotely exploitable vulnerability on Windows' Print Spooler service, which would enable remote attackers to run code with administrator privileges on your machine? Well, Microsoft seems to be waking up from this particular instance of PrintNightmare, as the company has already issued critical, out-of-band security updates (meaning that they're outside Microsoft's cadenced patch rollout) for several versions of windows. Since the Print Spooler service runs by default and is an integral part of Windows releases (likely since the NT platform development), Microsoft has even pushed out patches to OSs that aren't currently supported.

Microsoft has issued correctives for Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, a variety of supported versions of Windows 10, and even Windows 7. As per Microsoft, Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607 products are still missing the security patches, but they're being actively worked on and should be released sooner rather than later. The security patches include mitigations for both the PrintNightmare issue (CVE-2021-34527), as well as another Print Spooler vulnerability that's been previously reported (CVE-2021-1675). The mitigations are being distributed via Windows Update, as always, and the relevant packages are KB5004945 through KB5004959 (depending on your version of Windows).
Sources: Microsoft, via The Verge
Add your own comment

31 Comments on PrintNightmare: Microsoft Issues Critical Security Updates for Multiple Versions of Windows

#1
P4-630
Just installed it... KB5004945
Posted on Reply
#2
Raevenlord
News Editor
P4-630Just installed it... KB5004945
Thanks, will update the news piece so people know which KB to download =)
Posted on Reply
#3
TechLurker
Aww, was hoping they'd push it all the way back to Win95. :roll:

I have a functional, ancient one I still use on occasion to play some Chip's Challenge, nostalgia in Packard Bell Home, and a few real-old CD games that don't like Win7+ (those obscure, silly and sometimes junk games sold at office supply shops that were DOS/95 compatible).
Posted on Reply
#4
delshay
Thank you Microsoft for windows 7 support.

As of posting, windows 10 is auto downloading KB5004945.
Posted on Reply
#5
Makaveli
When I woke up today it was already installed :) gotta love patch tuesdays
Posted on Reply
#6
RJARRRPCGP
Yep, update-Tuesday on the first Tuesday! This means an out-of-band-emergency!

But fortunately, the update routine didn't fail because of me having the Print Spooler service disabled.
Posted on Reply
#7
ncrs
delshayThank you Microsoft for windows 7 support.
Aren't those just for the ESU subscribers? I don't have a Win7 to test with, so I'm not sure.
Posted on Reply
#8
TheoneandonlyMrK
So there's reports the patch didn't work, anyone hear similar?!.
Posted on Reply
#10
newtekie1
Semi-Retired Folder
TheoneandonlyMrKSo there's reports the patch didn't work, anyone hear similar?!.
I've hear that is completely breaks printing on certain printer brands.
Posted on Reply
#11
ncrs
lexluthermiesterSeems everyone will get it.
support.microsoft.com/en-us/topic/july-6-2021-kb5004951-security-only-update-out-of-band-e05a81cd-9b45-4622-b715-ddb2367bca47
The site you quoted states that it's not available from Windows/Microsoft Update, but from the Catalog instead. It also has the usual ESU eligibility comments. I guess the only way to know is to try installing it on a normal Win7 ;)
newtekie1I've hear that is completely breaks printing on certain printer brands.
It requires the drivers to be signed by default now. Some aren't, but it can be changed according to KB5005010.
Actually strike that, it's not what that KB is about, my bad. It might be related, however, and a simple re-installation of the driver by an administrative user might fix the issue.
Posted on Reply
#12
lexluthermiester
ncrsThe site you quoted states that it's not available from Windows/Microsoft Update, but from the Catalog instead. It also has the usual ESU eligibility comments. I guess the only way to know is to try installing it on a normal Win7 ;)
It does have a lot of cross talk, but we will see. microsft often changes their minds and their site pages.
Posted on Reply
#13
newtekie1
Semi-Retired Folder
ncrsActually strike that, it's not what that KB is about, my bad. It might be related, however, and a simple re-installation of the driver by an administrative user might fix the issue.
Nothing I could do with the driver would fix the issue, and the driver is definitely signed. The only option was to remove the update. The interesting thing is right after the reboot after uninstalling the update, right when I hit enter after typing the password, the printer started working and spitting out the jobs in the queue.

But I guess I should consider myself lucky, at least this update didn't cause a bluescreen every time a print job was sent to the printer like the update Microsoft released a few months ago.
Posted on Reply
#15
Caring1
lynx29@Raevenlord might want to update the title of your thread :)
The title is still correct though, they never claimed to have fixed it. :roll:
Posted on Reply
#16
Frick
Fishfaced Nincompoop
Caring1The title is still correct though, they never claimed to have fixed it. :roll:
It appears to be another thing going on. The patch does fix it, but there's also a vulnerability in the PointAndPrint thing, which is not enabled by default.

"The demo shows that the update fails to fix vulnerable systems that use certain settings for a feature called point and print, which makes it easier for network users to obtain the printer drivers they need."

From the comments:
"Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible. To disallow Point and Print for non-administrators make sure that warning and elevation prompts are shown for printer installs and updates. The following registry keys are not present by default. Verify that the keys are not present or change the following registry values to 0 (zero):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD)
NoWarningNoElevationOnUpdate = 0 (DWORD)"
Posted on Reply
#17
zlobby
TechLurkerAww, was hoping they'd push it all the way back to Win95. :roll:

I have a functional, ancient one I still use on occasion to play some Chip's Challenge, nostalgia in Packard Bell Home, and a few real-old CD games that don't like Win7+ (those obscure, silly and sometimes junk games sold at office supply shops that were DOS/95 compatible).
Any news on 3.11?
Posted on Reply
#18
lexluthermiester
FrickIt appears to be another thing going on. The patch does fix it, but there's also a vulnerability in the PointAndPrint thing, which is not enabled by default.

"The demo shows that the update fails to fix vulnerable systems that use certain settings for a feature called point and print, which makes it easier for network users to obtain the printer drivers they need."

From the comments:
That would make sense. In such a case manual mitigation will be required.
Posted on Reply
#19
neatfeatguy
Found out that the updates break printing over the network at my place of work. Had a few folks unable to print their reports and other stuff they needed to non-local printers. So, at the moment it's either the IT guy removes the updates or works on running cables directly from some printers to the computers that are supposed to print from.....

And because it's not me that is having to fix all this stupid crap, I find it hilarious.
Posted on Reply
#20
lexluthermiester
neatfeatguyFound out that the updates break printing over the network at my place of work. Had a few folks unable to print their reports and other stuff they needed to non-local printers. So, at the moment it's either the IT guy removes the updates or works on running cables directly from some printers to the computers that are supposed to print from.....

And because it's not me that is having to fix all this stupid crap, I find it hilarious.
Been having that same issue with a few test machines. We came up with a different solution after removing the update from the affected test system. We disconnected the network that have the printers from the internet. There are some issues, but at least we can do the jobs needed. It's actually more important for us to have printers than internet. We're gearing up to config two different networks, one with internet & no printers and the other connected to the printers without internet.
Posted on Reply
#21
neatfeatguy
lexluthermiesterBeen having that same issue with a few test machines. We came up with a different solution after removing the update from the affected test system. We disconnected the network that have the printers from the internet. There are some issues, but at least we can do the jobs needed. It's actually more important for us to have printers than internet. We're gearing up to config two different networks, one with internet & no printers and the other connected to the printers without internet.
Sounds like you found a work around that's good. Not sure that's something the IT guy here would want to do or have time to do since one of the owners purchased a new company that ties into our line of business and he's had the IT guy over there doing all sorts of stuff, not to mention that he also has to run between three other sister companies to fix the network printer issues that popped up from these updates.
Posted on Reply
#22
Chomiq
So from the sound of it looks like that KB simply disabled the group policy for Print Spooler to accept client connections.

Edit.
Nope, checked my VM and it's still set to "Not configured".
Posted on Reply
#23
ThrashZone
ChomiqSo from the sound of it looks like that KB simply disabled the group policy for Print Spooler to accept client connections.

Edit.
Nope, checked my VM and it's still set to "Not configured".
Hi,
That was the easy fix if one had gp to use home users were hosed.
Posted on Reply
#24
lexluthermiester
neatfeatguySounds like you found a work around that's good. Not sure that's something the IT guy here would want to do or have time to do since one of the owners purchased a new company that ties into our line of business and he's had the IT guy over there doing all sorts of stuff, not to mention that he also has to run between three other sister companies to fix the network printer issues that popped up from these updates.
Ouch. Yeah that's a lot of work. I feel bad for the guy.
Posted on Reply
#25
neatfeatguy
Stupid IT guy broke my printing and blames it on the update from Windows.....


I've ran "Check For Windows Updates" and it tells me I'm up to date. However, I don't have this printer security update installed on my computer from MS. A few people at my work have had the update install and they are having printer issues when it comes to multiple printers on one computer or printing over the network.

I'm not having any printing issues. At least, I wasn't having any until I came back from lunch.

The IT guy spent several hours trying to figure out how to fix printer issues - usually it just comes down to the software we're using in Windows is defaulting to the default printer set in Windows and not using the printers that are configured for the software. So basically you go to print a ticket, but it doesn't print to the label printer, it prints to the brother printer or HP printer that's defaulted as the main windows printer.

If you then change the default printer to the label printer, everything tries to print to the label printer.
If you leave the label printer set to default and manually pick a different printer when you go to print, it may print to another printer, but it doesn't use the applied printer settings to use the correct tray(s) on the printer.....shit just isn't working correctly.

Anyway, as I said I haven't had any issues. I don't share my printers and one of them isn't even on the network and I've had zero issues printing. The IT guy was working (remotely) on another coworker's computer and dinking around with settings. I did a few mundane things for him since I'm at site, it was just swapping of some cables and power cycling things......he didn't need my help any more so I went to lunch. I came back about 20 minutes later and I have some Windows printer test page on my label printer. I don't really think anything of it so I tear it off and toss it.

About 10 minutes later I go to print some labels for shipping and nothing has changed from what I can see, the labels default to the label printer. I select OK to have the labels print and they print up on my HP printer off a random tray. I think I maybe got over zealous and mis-clicked to a different printer. So I try to reprint the labels, confirmed the software is pointing to the label printer, but when I print it goes to tray 3 on my HP printer......wtf?

I don't know what the IT guy did, but he fucked up my printing when had no reasons to be fucking around with my printers or settings because no one else uses my printers. Since things are locked down and require ID/Password for UAC I can't do much other than dick with settings. I got things kind of back to functioning correctly, but without being able to uninstall and re-install drivers and reset settings I'm stuck with my band-aid fixes of swapping cables and changing of default printer in Windows.

I chewed out the IT for fucking my printing up and he tells me that the problem is because of the new printer update that's on all the computers...he stands by that reasoning even though I've told him I don't have the update on my computer. I even showed him with a screenshot, but he keeps telling me that the update is on there and I just don't know what I'm looking at.....and this coming from the guy that I had to walk through on how to prevent Windows 10 from pushing the update from last year that broke the printer spooler for me.....I just want to slap the shit out of him.
Posted on Reply
Add your own comment
Dec 22nd, 2024 00:17 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts