PrintNightmare: Microsoft Issues Critical Security Updates for Multiple Versions of Windows

[Raevenlord]

Remember that hideous, remotely exploitable vulnerability on Windows' Print Spooler service, which would enable remote attackers to run code with administrator privileges on your machine? Well, Microsoft seems to be waking up from this particular instance of PrintNightmare, as the company has already issued critical, out-of-band security updates (meaning that they're outside Microsoft's cadenced patch rollout) for several versions of windows. Since the Print Spooler service runs by default and is an integral part of Windows releases (likely since the NT platform development), Microsoft has even pushed out patches to OSs that aren't currently supported.

Microsoft has issued correctives for Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, a variety of supported versions of Windows 10, and even Windows 7. As per Microsoft, Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607 products are still missing the security patches, but they're being actively worked on and should be released sooner rather than later. The security patches include mitigations for both the PrintNightmare issue (CVE-2021-34527), as well as another Print Spooler vulnerability that's been previously reported (CVE-2021-1675). The mitigations are being distributed via Windows Update, as always, and the relevant packages are KB5004945 through KB5004959 (depending on your version of Windows).



View at TechPowerUp Main Site

 

[P4-630]

Just installed it... KB5004945

 

[Raevenlord]

Just installed it... KB5004945

Thanks, will update the news piece so people know which KB to download =)

 

[TechLurker]

Aww, was hoping they'd push it all the way back to Win95.

I have a functional, ancient one I still use on occasion to play some Chip's Challenge, nostalgia in Packard Bell Home, and a few real-old CD games that don't like Win7+ (those obscure, silly and sometimes junk games sold at office supply shops that were DOS/95 compatible).

 

[delshay]

Thank you Microsoft for windows 7 support.

As of posting, windows 10 is auto downloading KB5004945.

 

[Makaveli]

When I woke up today it was already installed gotta love patch tuesdays

 

[RJARRRPCGP]

Yep, update-Tuesday on the first Tuesday! This means an out-of-band-emergency!

But fortunately, the update routine didn't fail because of me having the Print Spooler service disabled.

 

[ncrs]

Thank you Microsoft for windows 7 support.

Aren't those just for the ESU subscribers? I don't have a Win7 to test with, so I'm not sure.

 

[TheoneandonlyMrK]

So there's reports the patch didn't work, anyone hear similar?!.

 

[lexluthermiester]

Aren't those just for the ESU subscribers? I don't have a Win7 to test with, so I'm not sure.

Seems everyone will get it.

July 6, 2021—KB5004951 (Security-only update) Out-of-band - Microsoft Support

support.microsoft.com

 

[newtekie1]

So there's reports the patch didn't work, anyone hear similar?!.

I've hear that is completely breaks printing on certain printer brands.

 

[ncrs]

Seems everyone will get it.

July 6, 2021—KB5004951 (Security-only update) Out-of-band - Microsoft Support

support.microsoft.com

The site you quoted states that it's not available from Windows/Microsoft Update, but from the Catalog instead. It also has the usual ESU eligibility comments. I guess the only way to know is to try installing it on a normal Win7

I've hear that is completely breaks printing on certain printer brands.

It requires the drivers to be signed by default now. Some aren't, but it can be changed according to KB5005010.
Actually strike that, it's not what that KB is about, my bad. It might be related, however, and a simple re-installation of the driver by an administrative user might fix the issue.

 

[lexluthermiester]

The site you quoted states that it's not available from Windows/Microsoft Update, but from the Catalog instead. It also has the usual ESU eligibility comments. I guess the only way to know is to try installing it on a normal Win7

It does have a lot of cross talk, but we will see. microsft often changes their minds and their site pages.

 

[newtekie1]

Actually strike that, it's not what that KB is about, my bad. It might be related, however, and a simple re-installation of the driver by an administrative user might fix the issue.

Nothing I could do with the driver would fix the issue, and the driver is definitely signed. The only option was to remove the update. The interesting thing is right after the reboot after uninstalling the update, right when I hit enter after typing the password, the printer started working and spitting out the jobs in the queue.

But I guess I should consider myself lucky, at least this update didn't cause a bluescreen every time a print job was sent to the printer like the update Microsoft released a few months ago.

 

[Space Lynx]

Just installed it... KB5004945

Microsoft’s emergency patch fails to fix critical “PrintNightmare” vulnerability

Game-over code-execution attacks are still possible even after fix is installed.

arstechnica.com

@Raevenlord might want to update the title of your thread don't worry though, M$ will fix it all in Win 11 with that TPM 2.0!!!!

 

[Caring1]

@Raevenlord might want to update the title of your thread

The title is still correct though, they never claimed to have fixed it.

 

[Frick]

The title is still correct though, they never claimed to have fixed it.

It appears to be another thing going on. The patch does fix it, but there's also a vulnerability in the PointAndPrint thing, which is not enabled by default.

"The demo shows that the update fails to fix vulnerable systems that use certain settings for a feature called point and print, which makes it easier for network users to obtain the printer drivers they need."

From the comments:

"Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible. To disallow Point and Print for non-administrators make sure that warning and elevation prompts are shown for printer installs and updates. The following registry keys are not present by default. Verify that the keys are not present or change the following registry values to 0 (zero):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD)
NoWarningNoElevationOnUpdate = 0 (DWORD)"

 

[zlobby]

Aww, was hoping they'd push it all the way back to Win95.

I have a functional, ancient one I still use on occasion to play some Chip's Challenge, nostalgia in Packard Bell Home, and a few real-old CD games that don't like Win7+ (those obscure, silly and sometimes junk games sold at office supply shops that were DOS/95 compatible).

Any news on 3.11?

 

[lexluthermiester]

It appears to be another thing going on. The patch does fix it, but there's also a vulnerability in the PointAndPrint thing, which is not enabled by default.

"The demo shows that the update fails to fix vulnerable systems that use certain settings for a feature called point and print, which makes it easier for network users to obtain the printer drivers they need."

From the comments:

That would make sense. In such a case manual mitigation will be required.

 

[neatfeatguy]

Found out that the updates break printing over the network at my place of work. Had a few folks unable to print their reports and other stuff they needed to non-local printers. So, at the moment it's either the IT guy removes the updates or works on running cables directly from some printers to the computers that are supposed to print from.....

And because it's not me that is having to fix all this stupid crap, I find it hilarious.

 

[lexluthermiester]

Found out that the updates break printing over the network at my place of work. Had a few folks unable to print their reports and other stuff they needed to non-local printers. So, at the moment it's either the IT guy removes the updates or works on running cables directly from some printers to the computers that are supposed to print from.....

And because it's not me that is having to fix all this stupid crap, I find it hilarious.

Been having that same issue with a few test machines. We came up with a different solution after removing the update from the affected test system. We disconnected the network that have the printers from the internet. There are some issues, but at least we can do the jobs needed. It's actually more important for us to have printers than internet. We're gearing up to config two different networks, one with internet & no printers and the other connected to the printers without internet.

 

[neatfeatguy]

Been having that same issue with a few test machines. We came up with a different solution after removing the update from the affected test system. We disconnected the network that have the printers from the internet. There are some issues, but at least we can do the jobs needed. It's actually more important for us to have printers than internet. We're gearing up to config two different networks, one with internet & no printers and the other connected to the printers without internet.

Sounds like you found a work around that's good. Not sure that's something the IT guy here would want to do or have time to do since one of the owners purchased a new company that ties into our line of business and he's had the IT guy over there doing all sorts of stuff, not to mention that he also has to run between three other sister companies to fix the network printer issues that popped up from these updates.

 

[Chomiq]

So from the sound of it looks like that KB simply disabled the group policy for Print Spooler to accept client connections.

Edit.
Nope, checked my VM and it's still set to "Not configured".

 

[ThrashZone]

So from the sound of it looks like that KB simply disabled the group policy for Print Spooler to accept client connections.

Edit.
Nope, checked my VM and it's still set to "Not configured".

Hi,
That was the easy fix if one had gp to use home users were hosed.

 

[lexluthermiester]

Sounds like you found a work around that's good. Not sure that's something the IT guy here would want to do or have time to do since one of the owners purchased a new company that ties into our line of business and he's had the IT guy over there doing all sorts of stuff, not to mention that he also has to run between three other sister companies to fix the network printer issues that popped up from these updates.

Ouch. Yeah that's a lot of work. I feel bad for the guy.