Microsoft Clarifies Its 'PrintNightmare' Patch Advice
Microsoft on Thursday issued "clarified guidance" for organizations addressing a zero-day Windows printer spooler vulnerability dubbed "PrintNightmare."
PrintNightmare was issued an "out-of-band" (unscheduled) patch by Microsoft on Tuesday for vulnerability CVE-2021-34527, which could enable remote code execution attacks with system privileges. The vulnerability is present in all Windows systems, both client and server.
Microsoft's patch for CVE-2021-34527 will automatically arrive for organizations and individuals using Microsoft's Windows Update service, or the Windows Update for Business patching service.
Security researchers, including those researchers at the U.S. Cybersecurity and Infrastructure Security Agency, an agency that advises government organizations on security matters, have been saying that CVE-2021-34527 doesn't patch a local privilege escalation variant of PrintNightmare. Microsoft's Thursday announcement didn't address such claims, but it said that the CVE-2021-34527 patch is effective.
Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.
Point and Print is an old Windows functionality that lets users of Windows client devices set up printers without having to download the printer and configuration files, per this Microsoft document description.
Admin Print Driver Install Privileges Enforced
One of the changes made with Microsoft's CVE-2021-34527 patch is to make it such that only administrators will be able to install signed and unsigned printer drivers. That restriction hadn't been in place before, and it was part of the security vulnerability.
Microsoft flatly stated that only administrators will have the rights to install printer drivers after applying the CVE-2021-34527 patch in this supplementary explanatory article, KB5005010:
After installing the July 2021 and later updates, non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
The printer driver rights change is also highlighted in this deft Cisco Talos summary of Microsoft's July print spooler patch changes.
The KB5005010 article included the following "resolution" description, which should be applied to "all machines that host the print spooler service":
- Install the July Out-of-band and later updates.
- Check if the following conditions are true:
- Registry Settings: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
- Group Policy: You have not configured the Point and Print Restrictions Group Policy.
If both conditions are true, then you are not vulnerable to CVE-2021-34527 and no further action is needed. If either condition is not true, you are vulnerable. Follow the steps below to change the Point and Print Restrictions Group Policy to a secure configuration.
IT pros are encouraged by Microsoft to double check that "0" values are set for the Point and Print settings shown above. They are discouraged from using Group Policy to set Point and Print restrictions. Microsoft claims that its CVE-2021-34527 patch doesn't disable Point and Print.
Microsoft also acknowledged that there are some "known issues" for organizations installing the CVE-2021-34527 update, which is described in support article KB5004945.
There can be issues with Japanese characters in apps. Also, problems arise with custom ISO images that use the deprecated Microsoft Edge browser (EdgeHTML).
However, some printers that are USB devices or label makers can be adversely affected by the CVE-2021-34527 patch. In those cases, Microsoft recommends performing a Known Issue Rollback, which is a somewhat new patch safeguard mechanism. Under this scheme, Microsoft identifies a patch issue and organizations that perform a Known Issue Rollback will "fall back to the previous code that had a bug," per Microsoft's description.
Microsoft has been using Known Issue Rollback for its updates since late 2019, but it's been accessible to organizations via Group Policy since the release of Window version 2004.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.