After Releasing The Dangerous Printnightmare Vulnerability, Microsoft Released An Emergency Security Patch For Windows 10 And 7; But This Problem Was Not Completely Solved.
Microsoft usually releases several updates to its users as part of its monthly Patch Tuesday process. Still, the company released an emergency security update on Monday to address an important and dangerous vulnerability called PrintNightmare.
According to the latest research by researchers, the published emergency patch could not eliminate the mentioned security vulnerability in all supported versions of Windows. Even after installing it, attackers are allowed to control infected systems and execute their desired code.
What is the PrintNightmare vulnerability?
The threat exploits bugs in the Windows printer, and researchers are tracking the vulnerability with the code CVE-2021-34527. The PrintNightmare bug attacks the Windows Print Spooler service, which runs by default. A summary of Microsoft’s executive statement reads:
There are vulnerabilities in the execution of the code when the Windows Print Spooler service performs improperly. An attacker who successfully exploits this bug could execute arbitrary code with system privileges and install programs and view their data, modify or delete them, and even create new accounts with full user rights.
In other words, PrintNightmare allows attackers to gain access to your system over the Internet. “All supported versions of Windows are affected by this vulnerability,” Microsoft warns.
Will Dorman, the Senior Vulnerability Analyst at CERT Coordination Center, a US federally funded nonprofit project, is researching software bugs. He says:
This is one of the most important issues I have encountered in recent years. Nothing happens whenever there is news of a vulnerability code that has not yet been fully patched and could compromise the Windows domain controller.
Microsoft security patches and bugs that were not completely fixed
The company has released emergency security patches for most Windows 10, Windows 8.1, Windows RT 8.1, and various Windows Server options.
“ Supported versions of Windows that were not released on July 6 will be updated shortly thereafter, ” Microsoft said in a statement. The vulnerability was so strong that even for Windows 7, a security patch was released; The version was his retirement talk last year.
At the time, Microsoft had released the patches only as a temporary fix, and security researcher Matthew Hickey said the options only eliminated the risk of remote control.
This meant that if an attacker succeeded in physically accessing your system, he could still use PrintNightmare to gain control of it.
Not long after the emergency update was released, it became clear that attackers could bypass the security patch.
“It’s hard to deal with strings and filenames,” Benjamin Delphi, developer of the hacking software Mimikatz Network and several other software, said in a tweet.
Dealing with strings & filenames is hard😉
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \\ server \ share format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
– 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
A video was also posted with the tweet showing how attackers could bypass the new security patch installed on Windows Server 2019. The demo version shows that the update does not fix vulnerability systems that use special settings for a point and print feature.
This feature makes it easier for network users to access the required printer drivers.
In fact, this feature is not directly related to this vulnerability; But this technology weakens the local security situation; In such a way that it can be abused.
Some printers fail after installing a security patch
As if the story of a dangerous Windows security flaw was not bad enough; Because some users who have installed the published security patch for it have noticed that their connection to their printer has been lost.
This spring, another similar problem occurred with a different Windows 10 security update. System administrators noticed that many PCs suddenly could not connect to printers (especially several Zebra models) after installing the KB5004945 patch.
Microsoft has acknowledged the problem as a known issue and said it could be fixed by restoring the patch or reinstalling the printer. Zebra, meanwhile, has issued a statement acknowledging the problem, and Microsoft wants to update the patch in the next few days to address the issue:
We are aware of an issue with the KB5004945 update on July 6 that affects different brands of printers. Microsoft has been investigating this issue and plans to release an update in the next day or two. An immediate solution to this problem is to install the KB5004945 update or uninstall the damaged printer driver and reinstall it. Customers who need help working with a Zebra printer can contact our technical support team.
Problems for Microsoft users
One of the problems for Microsoft users related to PrintNightmare vulnerabilities is the lack of a security patch. Last month, it fixed the Microsoft CVE-2021-1675 monthly security patch; A bug that gave hackers different access.
Microsoft has attributed the bug to Zipeng Hu, Pyotr Madge, and Zhang ions.
A few weeks later, two different researchers, Xinjiang Peng and Zhoufang Li, published an analysis of CVE-2021-1675, which showed that it could increase scores and achieve remote code execution.
The researchers named their discovery PrintNightmare. Finally, they found that PrintNightmare used a similar but different vulnerability to CVE-2021-1675.
At present, at least three different cases are available to the public, some of which have capabilities beyond the initial vulnerability.
Imposition of more severe restrictions with Microsoft security patch
Microsoft Debugging protects Windows servers that use the default settings as a domain controller or Windows 10 device. Wednesday’s demo shows PrintNightmare working against a wider range of systems; Including those who have enabled the Point and Print feature or the NoWarningNoElevationOnInstallet option.
In addition to eliminating the vulnerability, the released patch adds a new mechanism to the device that allows Windows admins to impose more severe restrictions when installing the printer software. Microsoft Security Advisor stated:
Prior to the installation of the July 6, 2021 update and newer versions of Windows, which contained protection against CVE-2021-34527 , the printer operator security team was able to install both approved and unapproved drivers on the printer server. By installing these updates, only verified items can be installed. Admin approval is required to install other printer drivers on the server.
Finally, it should be noted that despite the incompleteness of the published security patch, it is still mandatory for systems to install it; Because most of the time, they can stop the attackers.
As a result, users are required to download and install published security patches to secure their devices.