Microsoft Confirms That Emergency Updates (KB5005010) Addresses Print Spooler (Printnightmare) Vulnerabilities (CVE-2021-34527).
Print Spooler – A program that stores computer output in memory so that the user can generate output without waiting for the printer. The program then sends the stored output to the printer at the appropriate speed.
The name of this program in Microsoft Windows is Print Manager. In an operation where the printer must respond to multiple users simultaneously or sends multiple print operations to the printer, the print coordinator directs inputs or outputs to the printer with specific priorities.
Microsoft says emergency security patches released earlier this week do not properly address print compatibility vulnerabilities for all supported versions of Windows.
Immediately after the release of the updates (KB5004945), several researchers questioned its effectiveness and explained that the updates did not eliminate the vulnerability.
Researchers have shown that they can use emergency patches to achieve remote code execution and increase local privileges on their install systems.
Shortly after the patch was released, renowned researcher Matthew Hayeky realized that the patch was flawed and that threats and malware could still use the vulnerability to gain system privileges.
The failure of the Microsoft update was also reported by Will Dorman, a vulnerability analyst for CERT / CC.
Other researchers began patching experiments and showed that they could completely defect overcome to achieve RCE and increase local LPE.
Benjamin Delphi is known for developing the popular Mimikatz tool. He discovered that attackers could bypass the patch to implement the Remote Code when the Point and Print policy is enabled.
IT professionals recommend that customers immediately follow these steps:
- In all cases, apply security update (CVE 2021 34527). Because the update will not change the existing registry settings.
- After applying the secure update, review the registry settings listed in the CVE 2021 34527 Help section.
- If the written registry keys are no longer available, no further action is required.
- If registry keys are available, to secure your system, you should make sure that the following registry keys are set to 0 (zero) or not:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ WindowsNT \ Printers \ PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) Zero or undefined. (Default setting)
- UpdatePromptSettings = 0 (DWORD) Zero or undefined. (Default setting)
Users who cannot install security updates immediately are advised to temporarily disable the Windows Print Spooler service to reduce PrintNightmare vulnerabilities.
To deactivate this service, use the following command:
Control Panel \ System and Security \ Administrative Tools \ services
And after finding Print Spooler in the list, select the Stop option at the top left of the folder.