Updated July 7 to clarify that this patch does not fix the local privilege escalation flaw, and updated July 8 to note that the patch will not work at all in certain enterprise-server configurations.
Microsoft today (July 6) pushed out an emergency patch to fix the very serious print-spooler flaw that was disclosed last week by accident.
The flaw, commonly known as "PrintNightmare" but catalogued as CVE-2021-34527, lets hackers remote seize control of any Windows system. Servers and enterprise Windows deployments are especially vulnerable to attacks using this flaw, but any computer running Windows 7 through the latest version of Windows 10 can be hit.
- These Android apps can steal your Facebook password
- The best Windows 10 antivirus software
- Update: Microsoft fixes dozens of Windows 10 security flaws — here's what to do
What you need to do
To install today's update, run Windows Update on your Windows 10, 8.1 or 7 machine. Windows 10 users will see an update notice referring to knowledge base (KB) article KB5004940, KB5004945, KB5004946, KB5004947, depending on their build. For Windows 8.1, the knowledge base references are KB5004954 and KB5004958; Windows 7 gets KB5004951 or KB5004953. There's more information in this Microsoft security bulletin.
After the update has been downloaded, you'll be prompted to restart your machine to install the patch.
Don't want the patch? Here's what to do
If you're truly leet and you think you don't need to install the patch, find out by firing up PowerShell and typing in "Get-Service -Name Spooler" to see if the print spooler is running at all. (If you regularly print documents, it probably is. If you don't know what PowerShell is, don't do this.)
You can disable Print Spooler by typing the following into PowerShell, in order:
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
However, as Microsoft warns, "disabling the Print Spooler service disables the ability to print both locally and remotely." If you're a serious gamer who hasn't touched a piece of paper in three years, that may not matter.
Everyone else will just want to install the patch so that they can keep on printing. However, there is a small downside to applying the patch; it will be harder for non-administrative users to install print drivers that are not "signed" by the manufacturer.
As the software that comes with most printers requires an administrator to install it anyhow, this should not be a huge setback. If you really want limited users to be able to install unsigned software on your machine (bad idea), then Microsoft shows you how to tweak the Registry to make that possible here.
Someday we'll all laugh about this
The saga of PrintNightmare may seem funny in a few weeks, after everyone has patched their systems. The short version is that Microsoft fixed a very similar Print Spooler flaw in the June Patch Tuesday updates released June 8, and then raised the severity of that flaw on June 21.
A Hong Kong security firm saw that notice of severity escalation and assumed that Microsoft had fixed a flaw the security firm had (presumably) privately disclosed to Microsoft. The security firm had planned to publicly disclose the flaw at the Black Hat USA security conference in Las Vegas next month.
But after Microsoft seemed to have fixed it, the security firm on June 28 posted a proof-of-concept exploit — basically a demonstration of how to stage an attack using the flaw — on Twitter.
Whoops. Turns out Microsoft patched a different flaw, and the Hong Kong firm's exploit worked just fine on fully patched systems.
The Hong Kong firm quickly deleted the tweet, but the secret was out, and Microsoft said it soon began to hear of the exploit being used "in the wild." We have more on the story here.
Update: Gotta read the fine print
In our haste to get this story up at the end of the day Tuesday, we neglected to read between the lines on the Microsoft security bulletin and notice that our friends in Redmond mentioned only the "remote code execution [RCE] exploit in the Windows Print Spooler service."
There's a second way to exploit CVE-2021-34527, and that's by getting a foothold on the machine and raising your "privileges" to seize control — a local privilege-escalation (LPE) flaw, in information-security speak. It turns out that aspect has NOT been fixed.
The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector - however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?). 🤦♂️ https://t.co/PRO3p99CFoJuly 6, 2021
LPE flaws are a bit less serious than RCE flaws because the latter let anyone hack a machine over the internet, while the former requires physical or at least local-network access. However, malware that infects a machine through other means can then use an LPE flaw to hijack a system.
As the tweet above indicates, Windows 10 machines get a bit more protection against this particular LPE flaw because an optional service has to be turned on to permit the exploit. Windows 7, 8 and 8.1 are more vulnerable.
Also, at the very end of the Microsoft bulletin there's this: "Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon." [Update: Those security updates were released later in the day on July 7. See below.]
Windows 10 version 1607 was released in August 2016, and we recommend that anyone still using it should upgrade to more recent versions — they're free — unless there's a specific reason to stay on 1607.
Update: Further complications
French white-hat hacker Benjamin Delpy did some poking around and demonstrated Wednesday (July 7) that even the remote-control-execution flaw is still possible following the PrintNightmare patch, provided the Windows system has certain optional settings enabled that you would normally find only in an enterprise (i.e., business or other large organization) environment.
Dealing with strings & filenames is hard😉New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \\server\share format)So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7rJuly 7, 2021
Specifically, the machine must have a feature called "Point and Print" enabled, which lets an endpoint client — a workplace desktop or laptop — install a printer on the local network more easily, without the trouble of manually installing the printer driver software.
The machine must also be set to bypass two security safeguards that warn the end user when software "elevates" privileges to gain greater control over a Windows system than it's supposed to have.
All three settings weaken the overall security of the machine in general, regardless of their greater exposure to PrintNightmare, and are not anything you would normally find on home Windows computers.
Point and Print is not even installed, let alone enabled, on most PCs by default. We could not find it on our own PC running a recent build of Windows 10 Home.
Microsoft updated its security bulletin on July 7 to account for Delpy's findings. It states that:
"In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):"
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
Microsoft also stated on July 7 that "The security update[s] for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released."