Is it safe to print again?

Topic

New Reply

PATCH WATCH By Susan Bradley Is Print Nightmare finally fixed? The August updates are out and finally include a fix for the fix for the earlier fix fo
[See the full post at: Is it safe to print again?]

Susan Bradley Patch Lady

2 users thanked author for this post.

lmacri, abbodi86

Reply | Quote

Replies

The August update, in combination with the PrintNightmare/Point and Print GPO (Detailed here: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7) , has broken printing across our environment, prompting for admin credentials the first time a print job is sent to each installed printer.

What a printing nightmare, especially when no users have admin rights.

And no, we’re not permitted to roll back the GPO due to compliance reasons.

Reply | Quote

Hop on over to the patch management group on google groups as others are pulling their hair out as well.

Susan Bradley Patch Lady

Reply | Quote

Ack! No one in the office can print without reinstalling drivers. Fortunately, there are “only” 21 PCs, so I won’t be doing this all day. Also fortunately, I can connect remotely and re-install the printer drivers without having to incur user’s wrath. Unfortunately, they need me to enter my admin credentials to re-install the same driver that I installed months ago. It woulda been nice if users could have installed the driver from the server themselves – some of them have learned how it’s done.

Reply | Quote

The only time I would ever trust a downloaded printer driver at the time I am printing something is if it came from a known source on my own network. It’s hard to believe Microsoft thought it was a good idea to allow a website you visit to install a printer driver on your computer. The only way that should be allowed is (1) if you knowingly opt-in to that functionality, and (2) if you say yes to two prompts: “This sort of thing can be dangerous” and “Are you SURE?”.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

MrJimPhelps wrote:

It’s hard to believe Microsoft thought it was a good idea to allow a website you visit to install a printer driver on your computer.

They didn’t. Just domain print servers:

Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. All necessary files and configuration information are automatically downloaded from the print server to the client.

Introduction to Point and Print

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

Reply | Quote

I would like to ask a question, where did UAC go?
Isnt this exactly the case, where it should have pop up and protect the user against attackers?

I mean.. most users put the UAC slider as low as possible, bucause its annoying to click on the Yes sometimes, but this should be exactly the case, where UAC should have raise the question.

“Do you really want to install this driver from the webpage?” for example.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

You may find this interesting — a discussion of the changes Microsoft made to UAC from the initial implementation in Vista.  There are really only two effectively distinct settings for the UAC slider

1 user thanked author for this post.

doriel

Reply | Quote

Firefox 91 – You can still maintain the look and feel of the classic Firefox interface in Firefox 91 and do not have to resort to the ESR versions. I don’t pretend this is for the faint of heart, but I’m not a programmer at all and was able to make this work.

First make a complete backup of your Firefox profile before attempting this. If it fails, you’ll want to restore this profile.

Just go to https://github.com/Aris-t2/CustomCSSforFx where you can click on the link “Classic.” There you can download the “userchrome.css” file (or use the one I’ve uploaded to this posting – just change the file name to userchrome.css). Unfortunately, you can’t just download the file (why make it easy for us?). You’ll need to paint and copy the entire file to a text file on your computer — and name the file userchrome.css. If you replace the userchrome.css file in your Firefox profile with this one, you can restore the classic Firefox interface.

This file is built on the old add-ons <span class=”pl-c”>Classic Theme Restorer & Classic Toolbar Buttons. You can activate specific lines by deleting the “/” at the beginning of a line. Among a slew of customizations you can make to the classic Firefox interface this css file provides, you can move the bookmarks toolbar above your tabs as the gods originally intended. You can control the toolbar buttons,  customize back and forward buttons, tab appearance and position, and customize a slew of other interface features.</span>

Note the instruction in the file to enable this preference or custom styles will not be loaded:
about:config > toolkit.legacyUserProfileCustomizations.stylesheets > true

I stress, however, make a backup of your Firefox profile before replacing the existing userchrome.css file and keep a backup of the userchrome.css file you download from GitHub. You will need to experiment — a lot — with the changes you make to this customized userchrome.css file. Keep very close track of the changes you make so you can reverse those you don’t like. It takes some time, but you can use this to make Firefox look the way you want as Mozilla updates the browser again and again.

If I was able to make this work, anybody who reads AskWoody can.

Reply | Quote

We applied the patch to our working stations and VMs some weeks ago. Since that, printing began to be little bit annoying, since there were some changes because of PrintNightmare vunerability. I can see the KB5005033 installed on affected machines.

Some users are not able to print anything, because the printer needs updating the driver and thats not possible without admin rights now.. OK, but the interesting fact is, that:

++ they cant upgrade the driver, unless they enter admin credentials
++ but they can remove the printer
++ and then they can add the printer (with correct driver) by doubleclicking on the desired printer from the printserer without admin rights. No admin login required.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

2 users thanked author for this post.

Cybertooth, Lars220

Reply | Quote

hmm, I wonder which Star Trek episode this “double facepalm” pic came from? hee-hee-hee 🙂

fortunately for me I have NOT installed KB5005033 or similar August 2021 updates yet and will wait a while until it is actually “safe” to install them

Reply | Quote

I’m just seeing that there is a NEW printer vulnerability Microsoft has published, with no patch out there for it yet.

Microsoft’s recommendation: Disable Print Spooler on ANY machine.

Yeah, nice one, Microsoft…

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

 

No matter where you go, there you are.

Reply | Quote

Anyone see any update with 5005033 effecting the GPO printers? in that is it safe to deploy?

Reply | Quote

The Windows print nightmare continues for the enterprise | Computerworld

 

The August updates are causing issues for group policy deployed printers where you have v3 printer drivers installed. 5005033 is also impacted.

Susan Bradley Patch Lady

Reply | Quote

Is this issue fully solved now? Cant find any info on MSFT web.
Its quite old bug and all we get is admin prompt for standard users denying printing on some printers. While the vulnerability still exists?

Apart of Zebra printers, we get the prompt also with HP and Konica Minolta.

I would expect, that printers mapped directly from domain printserver were considered safe, but obviously its not the case 🙂

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

I was really hoping for a patch for spooler patch for CVE-2021-36958 yesterday.    Any idea why MS did not release anything on Patch day for the spooler issue?    Not sure how much longer I can keep printing shutdown before my users show up with Pitch forks and Torches.

Reply | Quote

Patch day was not yesterday. Sept 14th is second Tuesday.

Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

Reply | Quote

They may have a fix now, but will make you wait another week because they just don’t care anymore.

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

Reply | Quote

I would not say, that they dont care, maybe its bigger problem, than anticipated. I think its fairly complicated issue. Cant find, if Windows 11 is affected too. I wonder if Win11 are immune to this.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Yeah, maybe I was a bit hasty with that remark.

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

Reply | Quote

The saga continues

Another episode here.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote