Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Did Microsoft Botch the PrintNightmare Patch?

Just days after shipping an emergency Windows update to cover a dangerous code execution flaw (CVE-2021-1675) in the Print Spooler service, Microsoft is investigating a new set of claims that its so-called ‘PrintNightmare’ patch has not properly fixed the underlying vulnerability.

Just days after shipping an emergency Windows update to cover a dangerous code execution flaw (CVE-2021-1675) in the Print Spooler service, Microsoft is investigating a new set of claims that its so-called ‘PrintNightmare’ patch has not properly fixed the underlying vulnerability.

The issue has been a public embarrassment for Microsoft over the last two weeks as security researchers used social media to highlight major problems with Redmond’s mitigation guidance and the effectiveness of its out-of-band update.

“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses,” Microsoft said in a short statement sent to SecurityWeek.   “We have seen claims of bypass where an administrator has changed default registry settings to an unsecure configuration. See CVE-2021-34527 guidance for more information on settings required to secure your system,” it added.

The company followed up with a blog post late Thursday insisting the emergency patch is “working as designed” and “effective against the known print spooling exploits.”

[ Related: Microsoft Ships Emergency PrintNightmare Patch ]

“All reports we have investigated have relied on the changing of default registry settings related to Point and Print to an insecure configuration,” the company said, referring to a Windows capability that allows a Windows client to create a connection to a remote printer without providing disks or other installation media. 

Microsoft’s latest clarifications come on the heels of claims by multiple researchers that the vulnerability still presents a code execution path in certain circumstances.  Mimikatz creator Benjamin Delpy used Twitter to publish a demo video documenting an attack on a fully patched system.

Delpy’s demonstration worked on Windows machines with the Point and Print capability enabled and with the “NoWarningNoElevationOnInstall” option selected.  

The ‘PrintNightmare’ issue has been a self-inflicted thorn in Microsoft’s side since the June Patch Tuesday when it misdiagnosed the severity of a Print Spooler flaw, only to update its guidance a few weeks later to confirm remote code execution vectors.

Advertisement. Scroll to continue reading.

At the same time, the Black Hat conference announced the acceptance of a presentation on the details of the vulnerability by researchers at Sangfor, a Chinese security vendor that promptly released proof-of-concept code and a full technical write-up that showed a path to remote code execution.

[ Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw ]

The demo exploit code was quickly removed by Sangfor, but not before it was copied and actively shared on public forums.

In the face of public criticisms, Redmond issued a pre-patch advisory with news that ‘PrintNightmare’ was indeed a new zero-day, different from the misdiagnosed bug in the June 2021 patch batch.

Print Spooler, turned on by default on Microsoft Windows, is an executable file that’s responsible for managing all print jobs getting sent to the computer printer or print server. 

Despite the communication hiccups, Microsoft is strongly recommending that Windows users follow these steps immediately:

  • In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
  • After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
  • If the registry keys documented do not exist, no further action is required
  • If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
    • HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

The U.S. government’s CISA cybersecurity agency is urging Windows fleet admins to disable the Windows Print spooler service in Domain Controllers and systems that do not print.   

Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw 

Related: Microsoft Warns of Under-Attack Windows Kernel Flaw

Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.