MS-DEFCON 2: Print Nightmare causes printing nightmares

Topic

New Reply

ISSUE 18.25.1 • 2021-07-07 PATCH WATCH By Susan Bradley Microsoft has released an emergency update for a Print Spooler vulnerability. Consumer and hom
[See the full post at: MS-DEFCON 2: Print Nightmare causes printing nightmares]

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

abbodi86, jburk07, vp2006

Reply | Quote

Replies

Microsoft missed the Dymo printers this time?   I hope!!!

Reply | Quote

That patch has already been exploited.  It’s effectively useless if you use Point and Print.

Linky

Reply | Quote

Susan,

This saved me from deploying to desktops with attached Zebra printers. Thank you!

Re. servers, it sounds like you’re saying Print Spooler isn’t needed? I have e.g. Essentials 2012R2 and 2016 servers (which include AD) running Print Management. The printers are shared through the server. Isn’t Print Spooler needed for them? Fortunately in that case, no Zebras involved. Shouldn’t I patch those servers ASAP?

Reply | Quote

Fix for PrintNightmare CVE-2021-34527 exploit to keep your Print Servers running while a patch is not available – TRUESEC Blog

I would follow that workaround as a safer solution especially if your clients print (like I do).

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Windows 10 Pro x 64

I am a home user who chose the Pro version for greater control over updates. I have a wireless printer setup (Epson Eco Tank). The options referenced in the out of band MS link in the main post seemed to imply that both “fixes” disable remote printing.

Could you please explain, in lay terms, what I need to do as a home user of the Pro version. Should I be concerned about this exploit? My printer is on only when I need to use it.

Thanks!

1 user thanked author for this post.

happyheart

Reply | Quote

The options (those registry keys) are only needed in a network environment. I see this as a bigger threat to firms than home users at this time. If I change my mind, I’ll let you know.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

happyheart, vp2006

Reply | Quote

Thank you. I went ahead and disabled the Print Spooler through Group Policy. I can still print wirelessly.

Reply | Quote

Shawn reports on the patchmanagement.org list:  I have two clients that have had problems with QuickBooks POS 19 detecting the Ingenico PIN Pad 350 (iPP350) after installing the
kb5004945 update. Removing the update and restarting allows the pin pad
to be detected and function again.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

The options (those registry keys) are only needed in a network environment. I see this as a bigger threat to firms than home users at this time. If I change my mind, I’ll let you know.

Home networks are pretty common these days and at least some of them use network printing, either because a printer is attached to one PC and shared for other machines to use or because the printer itself is on the network and all the machines talk to it directly.

For that matter, if I disable the print spooler on my PC, none of my printers, directly connected, networked, even virtual (like CutePDF) are accessible.   I read a note from Microsoft about selecting “Print directly to printer” but that does not work with a Dymo printer connected directly to my computer.

IS there a way to print without having the print spooler running?

 

 

Reply | Quote

Some printers with Wifi like HP can print from email. When you register for the cloud print service you’re given a unique email address and any supported attachments sent to it will print. I’ve never tried that though.

Reply | Quote

https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/?fbclid=IwAR2xQSz7wfE-uLZrdLTWxSYw3EZmnb_UFlHIL_3h0W97fBZuci3z4u8zJ_4  See that post as a viable workaround

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I’ve compiled an overview of the chaos, the out-of-band PrintNightmare patches are creating.

The Chaos PrintNightmare Emergency Update (July 6/7, 2021

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

3 users thanked author for this post.

Noel Carboni, jburk07, Microfix

Reply | Quote

This warning specifically names ‘Zebra Label Printers’ as having critical risk. I don’t have a zebra..just HP printers…Does that mean I don’t need to address this?

Thanks

Reply | Quote

MrToad28 wrote:

This warning specifically names ‘Zebra Label Printers’ as having critical risk.

It doesn’t. The patch breaks Zebra Label Printers.

MrToad28 wrote:

I don’t have a zebra..just HP printers…Does that mean I don’t need to address this?

No.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

MrToad28

Reply | Quote

b wrote:

The patch breaks Zebra Label Printers

And not for the first time.

Reply | Quote

0Patch has fixes for this (I haven’t verified their effectiveness.)

Reply | Quote

Left my W10 machines idling, while I did some chores.
Downloaded & Installed to all machines.
Apparently no problems; but then, what’s a soft-connect label maker, printer anyway ?

Reply | Quote

Will sit KB5004945 out and wait for Patch Tuesday next week. I’m not even going to bother hiding it as it will be automatically superseded and removed by the B week 2021-07 CU.

Reply | Quote

Microsoft: Our PrintNightmare patch is effective, you’re just using Windows wrong

…Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration….

1 user thanked author for this post.

MrToad28

Reply | Quote

Alex5723 wrote:

Microsoft: Our PrintNightmare patch is effective, you’re just using Windows wrong

…Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration….

Gee, I didn’t know mucking around with “default registry setting related to Point and Print” was such a popular pastime that all these security researchers would have engaged in it.

From that same article:

Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.

KB5004945 was re-released on 6 July so maybe now it does cover both vulnerabilities but nothing about Zebra printers.   After getting burned on Dymo printers a couple of months ago, one would think Microsoft would a few of each for testing.

Reply | Quote

Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR

Microsoft pushes emergency fix for Windows 10 KB5004945 printing issues

1 user thanked author for this post.

Lars220

Reply | Quote

More information about the PrintNigtmare type printing issues from Mayank Parmar at Windows Latest website on July 9, 2021:
Microsoft is rolling out emergency fix for Windows 10 printing issues

“Microsoft is using a feature called “Known Issue Rollback” to quickly roll back non-security fixes that are causing problems for users. Using KIR, Microsoft can turn off problematic code without releasing another cumulative update or workaround.”

We can check if we have received the KIR fix by checking the Registry;

“To verify the fix, open Registry Editor and navigate to the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\4\1861952651
If the above path and KIR ID exists, the server-side patch has been installed on the device.”

If you do not see the ID wait for a day or two as the fix is slowly rolling out. In addition to printing problems, Microsoft is also planning to address the performance and taskbar issue with July 2021 security patch. I have received this KIR ID# 1861952651 in one of the “Stealth Updates”.

Computers become slow when they sense that their servants are in a hurry.

Reply | Quote