News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Is it safe to print again?

    Home » Forums » AskWoody blog » Is it safe to print again?

    Author
    Topic
    #2383898

    PATCH WATCH By Susan Bradley Is Print Nightmare finally fixed? The August updates are out and finally include a fix for the fix for the earlier fix fo
    [See the full post at: Is it safe to print again?]

    Susan Bradley Patch Lady

    2 users thanked author for this post.
    Viewing 8 reply threads
    Author
    Replies
    • #2384028

      The August update, in combination with the PrintNightmare/Point and Print GPO (Detailed here: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7) , has broken printing across our environment, prompting for admin credentials the first time a print job is sent to each installed printer.

      What a printing nightmare, especially when no users have admin rights.

      And no, we’re not permitted to roll back the GPO due to compliance reasons.

    • #2384038

      Ack! No one in the office can print without reinstalling drivers. Fortunately, there are “only” 21 PCs, so I won’t be doing this all day. Also fortunately, I can connect remotely and re-install the printer drivers without having to incur user’s wrath. Unfortunately, they need me to enter my admin credentials to re-install the same driver that I installed months ago. It woulda been nice if users could have installed the driver from the server themselves – some of them have learned how it’s done.

    • #2384166

      The only time I would ever trust a downloaded printer driver at the time I am printing something is if it came from a known source on my own network. It’s hard to believe Microsoft thought it was a good idea to allow a website you visit to install a printer driver on your computer. The only way that should be allowed is (1) if you knowingly opt-in to that functionality, and (2) if you say yes to two prompts: “This sort of thing can be dangerous” and “Are you SURE?”.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      • #2384167

        It’s hard to believe Microsoft thought it was a good idea to allow a website you visit to install a printer driver on your computer.

        They didn’t. Just domain print servers:

        Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. All necessary files and configuration information are automatically downloaded from the print server to the client.

        Introduction to Point and Print

        Windows 10 Pro version 21H2 build 19044.1387 + Microsoft 365 (group ASAP)

      • #2384253

        I would like to ask a question, where did UAC go?
        Isnt this exactly the case, where it should have pop up and protect the user against attackers?

        I mean.. most users put the UAC slider as low as possible, bucause its annoying to click on the Yes sometimes, but this should be exactly the case, where UAC should have raise the question.

        “Do you really want to install this driver from the webpage?” for example.

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        PRUSA i3 MK3S+

    • #2384168

      Firefox 91 – You can still maintain the look and feel of the classic Firefox interface in Firefox 91 and do not have to resort to the ESR versions. I don’t pretend this is for the faint of heart, but I’m not a programmer at all and was able to make this work.

      First make a complete backup of your Firefox profile before attempting this. If it fails, you’ll want to restore this profile.

      Just go to https://github.com/Aris-t2/CustomCSSforFx where you can click on the link “Classic.” There you can download the “userchrome.css” file (or use the one I’ve uploaded to this posting – just change the file name to userchrome.css). Unfortunately, you can’t just download the file (why make it easy for us?). You’ll need to paint and copy the entire file to a text file on your computer — and name the file userchrome.css. If you replace the userchrome.css file in your Firefox profile with this one, you can restore the classic Firefox interface.

      This file is built on the old add-ons <span class=”pl-c”>Classic Theme Restorer & Classic Toolbar Buttons. You can activate specific lines by deleting the “/” at the beginning of a line. Among a slew of customizations you can make to the classic Firefox interface this css file provides, you can move the bookmarks toolbar above your tabs as the gods originally intended. You can control the toolbar buttons,  customize back and forward buttons, tab appearance and position, and customize a slew of other interface features.</span>

      Note the instruction in the file to enable this preference or custom styles will not be loaded:
      about:config > toolkit.legacyUserProfileCustomizations.stylesheets > true

      I stress, however, make a backup of your Firefox profile before replacing the existing userchrome.css file and keep a backup of the userchrome.css file you download from GitHub. You will need to experiment — a lot — with the changes you make to this customized userchrome.css file. Keep very close track of the changes you make so you can reverse those you don’t like. It takes some time, but you can use this to make Firefox look the way you want as Mozilla updates the browser again and again.

      If I was able to make this work, anybody who reads AskWoody can.

    • #2384392

      We applied the patch to our working stations and VMs some weeks ago. Since that, printing began to be little bit annoying, since there were some changes because of PrintNightmare vunerability. I can see the KB5005033 installed on affected machines.

      Some users are not able to print anything, because the printer needs updating the driver and thats not possible without admin rights now.. OK, but the interesting fact is, that:

      ++ they cant upgrade the driver, unless they enter admin credentials
      ++ but they can remove the printer
      ++ and then they can add the printer (with correct driver) by doubleclicking on the desired printer from the printserer without admin rights. No admin login required.

      double-facepalm-memes

      Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

      HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

      PRUSA i3 MK3S+

      2 users thanked author for this post.
      • #2384449

        hmm, I wonder which Star Trek episode this “double facepalm” pic came from? hee-hee-hee 🙂

        fortunately for me I have NOT installed KB5005033 or similar August 2021 updates yet and will wait a while until it is actually “safe” to install them

    • #2384581

      I’m just seeing that there is a NEW printer vulnerability Microsoft has published, with no patch out there for it yet.

      Microsoft’s recommendation: Disable Print Spooler on ANY machine.

      Yeah, nice one, Microsoft…

      https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

       

      No matter where you go, there you are.

    • #2384831

      Anyone see any update with 5005033 effecting the GPO printers? in that is it safe to deploy?

    • #2385782

      Is this issue fully solved now? Cant find any info on MSFT web.
      Its quite old bug and all we get is admin prompt for standard users denying printing on some printers. While the vulnerability still exists?

      Apart of Zebra printers, we get the prompt also with HP and Konica Minolta.

      I would expect, that printers mapped directly from domain printserver were considered safe, but obviously its not the case 🙂

      Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

      HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

      PRUSA i3 MK3S+

    • #2388548

      I was really hoping for a patch for spooler patch for CVE-2021-36958 yesterday.    Any idea why MS did not release anything on Patch day for the spooler issue?    Not sure how much longer I can keep printing shutdown before my users show up with Pitch forks and Torches.

      • #2388552

        Patch day was not yesterday. Sept 14th is second Tuesday.

        Windows 10 Pro version 21H2 build 19044.1387 + Microsoft 365 (group ASAP)

      • #2388607

        They may have a fix now, but will make you wait another week because they just don’t care anymore.

        If it ain't broke, it soon will be, so be prepared.

        • #2388668

          I would not say, that they dont care, maybe its bigger problem, than anticipated. I think its fairly complicated issue. Cant find, if Windows 11 is affected too. I wonder if Win11 are immune to this.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          PRUSA i3 MK3S+

    Viewing 8 reply threads
    Reply To: Is it safe to print again?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.