Install immediately: Microsoft delivers emergency patch for PrintNightmare security bug

RV_ · July 7, 2021

This one is out in the wild infecting computers. It is bad enough that Microsoft is patching usually unsupported Windows 7 computers for it. I just downloaded the updates.

Excerpt:

"Microsoft is offering patches for unsupported versions of Windows to plug the so-called PrintNightmare bugs.

Microsoft has released an out-of-band patch for the security flaw known as PrintNightmare that is under attack already and lets attackers take control of a PC.

The PrintNightmare bug is being tracked as CVE-2021-1675 and CVE-2021-34527. It's a critical bug in the Windows print spooler with exploit code in the public domain before Microsoft had a chance to release a patch for it. Admins were advised to disable the Print Spooler service until a patch was made available.

The remote code execution vulnerability surfaces when the Windows Print Spooler service improperly performs privileged file operations, according to Microsoft.

"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," it warned in an advisory.

Microsoft has now completed its investigation and released security updates to address the security bug.

"The security updates released on and after July 6, 2021 contain protections for a remote code execution exploit in the Windows Print Spooler service known as "PrintNightmare", documented in CVE-2021-34527, as well as for CVE-2021-1675," Microsoft said.

"We recommend that you install these updates immediately," Microsoft said.

The bug looks to be a serious concern at Microsoft, which has taken the rare step of releasing patches for Windows 7. That version of Windows reached the end of mainstream support on January 14, 2020.

Very occasionally Microsoft releases patches for unsupported versions of Windows. It did that for Windows XP in 2017 after the WannaCry ransomware attacks, which were blamed on North Korean hackers.

Windows 7 accounts for a smaller share of all Windows PCs out there today, but the numbers remained significantly large enough for Google to maintain Chrome support for Windows 7 until July 2021."

More in the original article with related hot links here:

https://www.zdnet.com/article/install-immediately-microsoft-delivers-emergency-patch-for-printnightmare-security-bug/?ftag=TRE-03-10aaa6b&bhid=&mid=13427922&cid=2180787277&eh=

Ray,IN · July 7, 2021

Thanks Derek, I installed a large update today.

RV_ · July 8, 2021

YW Ray! I am selling all but two AIO desktops, two Mini computers, and one Surface Pro 7 and two Surface Go 2 with LTE.

Updating 8-10 computer systems is a pain to update when they come out.

We have until 2025 to figure out Windows 11.

RV_ · July 8, 2021

New info! It is not completely fixed yet! But the patch does not make it worse.

Get updating: Microsoft delivers PrintNightmare patch for more Windows versions

But Microsoft's patch for the critical PrintNightmare bug might not solve all the problems the flaw has created, say security researchers.

Microsoft has released patches for more versions of Windows affected by the PrintNightmare bug, but researchers claim the patches don't provide complete protection.

Microsoft released out-of-band patches for Windows systems affected by two critical bugs being tracked as CVE-2021-1675 and CVE-2021-34527, and has advised admins to disable the print spooler service until patches are applied. One is a remote code execution flaw, while the second is a local privilege escalation bug.

"Microsoft identified a security issue that affects all versions of Windows and have expedited a resolution for supported versions of Windows that will automatically be applied to most devices," it said in an update on Wednesday.

SEE: Windows 10 Start menu hacks (TechRepublic Premium)

The company has now released patches for Windows 10 1607 for enterprise customers still on that version, plus Windows Server 2016 and Windows Server 2012.

Upon installing the security update, users who aren't admins are restricted to installing signed print drivers to a print server while admins can install signed and unsigned printer drivers.

Admins also have the option to configure the 'RestrictDriverInstallationToAdministrators' registry setting to prevent non-administrators from installing signed printer drivers on a print server.

"Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators' security group could install both signed and unsigned printer drivers on a printer server," Microsoft notes in an advisory.

"After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward."

CISA's advice for this bug is available here.

SEE: Ransomware: Now gangs are using virtual machines to disguise their attacks

However, via The Register, the creator of the Mimikatz penetrating testing kit, said he has found a way to bypass the patch on systems by using UNC or the Universal Naming Convention (UNC) string, which is used to point to shared files or devices. Reportedly, Microsoft's patch for CVE-2021-34527 improperly checks remote libraries; it doesn't check for UNC for pointing to remote files.

And security researcher Will Dormann notes that certain registry settings that are meant to mitigate the bug don't prevent local privilege escalation (LCE) or remote code execution (RCE)."

Screenshots of the mitigation areas are in the article with lots of related links here:

https://www.zdnet.com/article/get-updating-microsoft-delivers-printnightmare-patch-for-more-windows-versions/?ftag=TRE-03-10aaa6b&bhid=&mid=13429167&cid=2180787277&eh=