Did Microsoft Botch the PrintNightmare Patch?

Just days after shipping an emergency Windows update to cover a dangerous code execution flaw (CVE-2021-1675) in the Print Spooler service, Microsoft is investigating a new set of claims that its so-called ‘PrintNightmare’ patch has not properly fixed the underlying vulnerability.

The issue has been a public embarrassment for Microsoft over the last two weeks as security researchers used social media to highlight major problems with Redmond’s mitigation guidance and the effectiveness of its out-of-band update.

“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses,” Microsoft said in a short statement sent to SecurityWeek.   “We have seen claims of bypass where an administrator has changed default registry settings to an unsecure configuration. See CVE-2021-34527 guidance for more information on settings required to secure your system,” it added.

The company followed up with a blog post late Thursday insisting the emergency patch is “working as designed” and “effective against the known print spooling exploits.”

[ Related: Microsoft Ships Emergency PrintNightmare Patch ]

Microsoft’s latest clarifications come on the heels of claims by multiple researchers that the vulnerability still presents a code execution path in certain circumstances.  Mimikatz creator Benjamin Delpy used Twitter to publish a demo video documenting an attack on a fully patched system.

Delpy’s demonstration worked on Windows machines with the Point and Print capability enabled and with the “NoWarningNoElevationOnInstall” option selected.  

The ‘PrintNightmare’ issue has been a self-inflicted thorn in Microsoft’s side since the June Patch Tuesday when it misdiagnosed the severity of a Print Spooler flaw, only to update its guidance a few weeks later to confirm remote code execution vectors.

At the same time, the Black Hat conference announced the acceptance of a presentation on the details of the vulnerability by researchers at Sangfor, a Chinese security vendor that promptly released proof-of-concept code and a full technical write-up that showed a path to remote code execution.

[ Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw ]

The demo exploit code was quickly removed by Sangfor, but not before it was copied and actively shared on public forums.

In the face of public criticisms, Redmond issued a pre-patch advisory with news that ‘PrintNightmare’ was indeed a new zero-day, different from the misdiagnosed bug in the June 2021 patch batch.

Print Spooler, turned on by default on Microsoft Windows, is an executable file that’s responsible for managing all print jobs getting sent to the computer printer or print server. 

Despite the communication hiccups, Microsoft is strongly recommending that Windows users follow these steps immediately:

• In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
• After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
• If the registry keys documented do not exist, no further action is required
• If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
  • HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

The U.S. government’s CISA cybersecurity agency is urging Windows fleet admins to disable the Windows Print spooler service in Domain Controllers and systems that do not print.   

Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw 

Related: Microsoft Warns of Under-Attack Windows Kernel Flaw

Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited