Microsoft releases emergency security fix for PrintNightmare flaw — update right now

1. Dwelling
2. News
3. Security

Microsoft releases emergency security fix for PrintNightmare flaw — update correct now

(Image credit: SingingMedia/Shutterstock)

Updated July 7 to clarify that this patch does not fix the local privilege escalation flaw, and updated July viii to note that the patch will not piece of work at all in sure enterprise-server configurations.

Microsoft today (July 6) pushed out an emergency patch to fix the very serious print-spooler flaw that was disclosed last week by blow.

The flaw, commonly known as "PrintNightmare" but catalogued as CVE-2021-34527, lets hackers remote seize control of whatever Windows system. Servers and enterprise Windows deployments are especially vulnerable to attacks using this flaw, just any calculator running Windows 7 through the latest version of Windows 10 can exist striking.

• These Android apps can steal your Facebook password
• The best Windows ten antivirus software
• Update: Microsoft fixes dozens of Windows 10 security flaws — hither's what to practice

What you need to practise

To install today'southward update, run Windows Update on your Windows 10, viii.1 or 7 motorcar. Windows 10 users will see an update detect referring to knowledge base of operations (KB) article KB5004940, KB5004945, KB5004946, KB5004947, depending on their build. For Windows 8.1, the knowledge base references are KB5004954 and KB5004958; Windows vii gets KB5004951 or KB5004953. In that location's more information in this Microsoft security bulletin.

Later on the update has been downloaded, you'll be prompted to restart your machine to install the patch.

Don't want the patch? Here's what to do

If you lot're truly leet and you recall you don't need to install the patch, observe out by firing up PowerShell and typing in "Get-Service -Proper name Spooler" to see if the print spooler is running at all. (If yous regularly print documents, it probably is. If you don't know what PowerShell is, don't do this.)

You can disable Print Spooler past typing the following into PowerShell, in guild:

              Terminate-Service -Name Spooler -Force Gear up-Service -Name Spooler -StartupType Disabled            

Yet, as Microsoft warns, "disabling the Impress Spooler service disables the ability to print both locally and remotely." If you're a serious gamer who hasn't touched a piece of paper in three years, that may not thing.

Everyone else will just want to install the patch and so that they tin can keep on printing. However, in that location is a small-scale downside to applying the patch; it will be harder for non-authoritative users to install print drivers that are not "signed" by the manufacturer.

As the software that comes with most printers requires an ambassador to install information technology anyhow, this should not be a huge setback. If you actually desire express users to be able to install unsigned software on your machine (bad idea), so Microsoft shows you how to tweak the Registry to make that possible hither.

Someday we'll all laugh about this

The saga of PrintNightmare may seem funny in a few weeks, after everyone has patched their systems. The brusque version is that Microsoft fixed a very similar Print Spooler flaw in the June Patch Tuesday updates released June viii, and then raised the severity of that flaw on June 21.

A Hong Kong security firm saw that detect of severity escalation and assumed that Microsoft had stock-still a flaw the security firm had (presumably) privately disclosed to Microsoft. The security business firm had planned to publicly disclose the flaw at the Black Hat USA security conference in Las Vegas side by side month.

But later Microsoft seemed to have fixed it, the security firm on June 28 posted a proof-of-concept exploit — basically a demonstration of how to stage an set on using the flaw — on Twitter.

Whoops. Turns out Microsoft patched a unlike flaw, and the Hong Kong business firm's exploit worked just fine on fully patched systems.

The Hong Kong firm speedily deleted the tweet, but the secret was out, and Microsoft said it presently began to hear of the exploit beingness used "in the wild." We accept more on the story hither.

Update: Gotta read the fine print

In our haste to get this story up at the cease of the twenty-four hour period Tuesday, nosotros neglected to read betwixt the lines on the Microsoft security bulletin and discover that our friends in Redmond mentioned simply the "remote lawmaking execution [RCE] exploit in the Windows Impress Spooler service."

At that place's a 2nd way to exploit CVE-2021-34527, and that's past getting a foothold on the machine and raising your "privileges" to seize command — a local privilege-escalation (LPE) flaw, in data-security speak. It turns out that aspect has Non been fixed.

The Microsoft fix released for contempo #PrintNightmare vulnerability addresses the remote vector - however the LPE variations even so function. These piece of work out of the box on Windows 7, 8, viii.1, 2008 and 2012 but crave Point&Print configured for Windows 2016,2019,10 & xi(?). 🤦‍♂️ https://t.co/PRO3p99CFoJuly 6, 2021

Run across more than

LPE flaws are a chip less serious than RCE flaws because the latter let anyone hack a machine over the internet, while the sometime requires physical or at least local-network admission. However, malware that infects a auto through other means can then use an LPE flaw to hijack a system.

Every bit the tweet above indicates, Windows 10 machines go a scrap more protection against this particular LPE flaw considering an optional service has to be turned on to let the exploit. Windows 7, 8 and 8.1 are more vulnerable.

Too, at the very end of the Microsoft bulletin in that location'due south this: "Updates are not yet available for Windows x version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows volition exist released soon." [Update: Those security updates were released after in the day on July 7. See below.]

Windows 10 version 1607 was released in August 2016, and nosotros recommend that anyone still using information technology should upgrade to more than recent versions — they're costless — unless at that place's a specific reason to stay on 1607.

Update: Further complications

French white-hat hacker Benjamin Delpy did some poking around and demonstrated  Wednesday (July 7) that even the remote-control-execution flaw is still possible following the PrintNightmare patch, provided the Windows system has sure optional settings enabled that you lot would normally find just in an enterprise (i.e., business organization or other large system) environment.

Dealing with strings & filenames is hard😉New function in #mimikatz 🥝to normalize filenames (bypassing checks past using UNC instead of \\server\share format)And then a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7rJuly seven, 2021

Encounter more

Specifically, the machine must accept a characteristic called "Point and Impress" enabled, which lets an endpoint client — a workplace desktop or laptop — install a printer on the local network more easily, without the problem of manually installing the printer driver software.

The machine must also be set to bypass ii security safeguards that warn the end user when software "elevates" privileges to proceeds greater control over a Windows arrangement than it's supposed to have.

All iii settings weaken the overall security of the machine in general, regardless of their greater exposure to PrintNightmare, and are not anything you lot would normally find on home Windows computers.

Point and Print is not even installed, let solitary enabled, on most PCs by default. We could non find information technology on our own PC running a recent build of Windows ten Home.

Microsoft updated its security message on July 7 to account for Delpy's findings. It states that:

"In order to secure your arrangement, you must ostend that the following registry settings are set to 0 (zero) or are non defined (Annotation: These registry keys exercise not exist past default, and therefore are already at the secure setting.):"

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
• NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
• NoWarningNoElevationOnUpdate = 0 (DWORD) or non defined (default setting)

Microsoft also stated on July seven that "The security update[s] for Windows Server 2012, Windows Server 2016 and Windows x, Version 1607 have been released."

Paul Wagenseil is a senior editor at Tom'due south Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-booty driver, code monkey and video editor. He's been rooting around in the data-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwardly in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/printnightmare-windows-patch

Posted by: mcfaddenfunce1977.blogspot.com

Share this post