News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Out of band for Print Nightmare is out

    Home Forums AskWoody blog Out of band for Print Nightmare is out

    • This topic has 95 replies, 29 voices, and was last updated 3 weeks ago.
    Viewing 26 reply threads
    • Author
      Posts
      • #2375976
        Susan Bradley
        Manager

        https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 Remember the print nightmare post from the other day?  Microsoft has released out
        [See the full post at: Out of band for Print Nightmare is out]

        Susan Bradley Patch Lady

        4 users thanked author for this post.
      • #2375992
        PKCano
        Manager

        AKB 2000003 has been updated for Group B Win7 (ESU) and Win8.1 on July 6, 2021. A Monthly Rollup and Security-only Out-of-band have been released to address the Print spooler exploit.

        There is a Security-only Out-of-band Update for those with Win7 ESU subscriptions.

         

        2 users thanked author for this post.
      • #2375980
        Bob99
        AskWoody Plus

        For those affected by this nasty bug, GREAT NEWS!

        Now one question: Has this out-of-band patch come too late to be included in the normally-scheduled July round of updates next Tuesday for those on Windows 10 so they don’t have to d/l  and install the recently released out of band patches just to have to d/l and install more patches next week?

        What I’m asking is if folks feel OK about it, can they just wait until next week to d/l the regularly scheduled patch instead of getting the out of band patch(es)?

        If these out-of-band patches aren’t or won’t be included in next week’s regularly scheduled patches, then all bets are off and folks will just have to download both, obviously.

        EDIT: As of this writing, 3:29 pm PDT, the links to KB5004945, the out-of-band for 20H2 x64, aren’t yet working, so same probably goes for links for some of the other patches as well. As has been said before in other scenarios. “Patience, grasshopper.”

        • This reply was modified 3 weeks, 6 days ago by Bob99.
        • This reply was modified 3 weeks, 6 days ago by Bob99. Reason: Added the "EDIT:" paragraph
        • #2376025
          Susan Bradley
          Manager

          They will be included in next week’s updates. Microsoft can quickly include new updates in the cumulative code.

          Susan Bradley Patch Lady

          • #2376036
            L95
            AskWoody Plus

            Susan:  I probably won’t be installing next week’s updates until you give the DEFCON clearance for July,  which probably will be close to the end of July.  Do you think you will be giving the “go-ahead”  for this out-of-band update sooner than that?  If so,  will you be posting the announcement as a new headline topic?  Or on the other hand,  will you be posting it within this lounge discussion?

          • #2376488
            Ken
            AskWoody Plus

            I have one w10 Home 20H2 pc. I forgot to reset the pause, so 5004945 was installed yesterday after I had shut down due to storms. Unit is VERY sluggish now. Should I uninstall this? How do I do it? (I have never uninstalled an update before.) No apparent problems with printing.

      • #2376004
        Bob99
        AskWoody Plus

        If you are a home user, I don’t see a need to rush this patch on.

        For most of us who are home users, this means to use your tool of choice to hide this patch for now.

        Find the KB number for your version (2004, 20H1, 1909, etc.) in the MSRC post linked to in Susan’s first post of this thread above. The list starts under the heading of “Security Updates” about 3/4 of the way down the page.

        • #2376007
          PKCano
          Manager

          Win10 2004/20H2/21H1 KB5004945 Out-of-band. Susan advises home users to hold off for now.
          Support pages aren’t up yet as of this post

          Looks like they may have released the Monthly Rollups and SOs for Win7 and Win8.1 as Out-of-band a week early. My Win8.1 updated through Windows Update just now.

          3 users thanked author for this post.
          • #2376019
            EP
            AskWoody_MVP

            many of those MS support articles have shown up on my end now

          • #2376034
            Susan Bradley
            Manager

            I doubt they released next week’s updates early, they just put in the code for this.  Note that the “what this fixes” only lists the spooler.   By definition if it included everything, it would list a lot more cve’s.

            And a bit sloppy in the KB urls as well…. the windows update history has a broken link and I’ve yet to see 21h1 being shown an update.

            July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band (microsoft.com)

            Susan Bradley Patch Lady

            • #2376127
              PKCano
              Manager

              I doubt they released next week’s updates early, they just put in the code for this.

              That line had been previously struck out. The wording was strange this time – “(Monthly Rollup) Out-of-band.” Never saw it labled like that before (?)

          • #2376039
            WCHS
            AskWoody Plus

            Susan advises home users to hold off for now.
            Support pages aren’t up yet as of this post

            I’m Win10/Pro, 20H2 x-64bit, Build 19042.1052, released June 8 and installed June 28. I am not an Enterprise user and I am not running a server. I usually wait for MS-DEFCON to get to 3+ before doing the current month’s patches. So that means waiting until close to the end of July to do the July Week “B”/Tuesday patches.

            Is the reason for holding off on it for now that Support pages are not up yet? I ask because I see that the support pages for OOB KB5004945 are up now and the patch has just turned up in the WU queue. I have used wushowhide to hide it for now (I say “for now” because it will disappear from the WU queue/wushowhide come July 13). Should I unhide KB5004945 now and download/install it before July 13 (I have GP=2 notify download/install)? Or is it OK to wait until I install the 2021-07 patches in late July (i.e., when MS-DEFCON becomes 3+)?

            1 user thanked author for this post.
        • #2376067
          Susan Bradley
          Manager

          I posted a new master list for July tonight.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
      • #2376010
        b
        AskWoody MVP

        Installed 2021-07 Cumulative Update for Windows 10 Version 21H1 for x64-based Systems (KB5004945):

        No adverse effects after restart and printing as normal.

        OS build now 19043.1083

        Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

        1 user thanked author for this post.
      • #2376018
        EP
        AskWoody_MVP

        Win10 LTSB 2016 / Server 2016 / 1607 currently does not have an out-of-band patch for this “Print Nightmare” security problem

        • #2376068
          Susan Bradley
          Manager

          The CVE page says it’s coming and will be posted later.

          “Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon.”

          Susan Bradley Patch Lady

      • #2376022
        anonymous
        Guest

        Windows 7 EOL holdovers will never get any Patch? So just the 7/ESU folks for that!

        • #2376024
          Susan Bradley
          Manager

          Unless it’s a wormable vulnerability – and this is not one – Microsoft generally does not post out of support patches unless there is a huge risk.  Mind you there is 0patch and other ways around this.

          Susan Bradley Patch Lady

          2 users thanked author for this post.
          • #2376312

            “FYI, For what it’s worth dept.”…..0patch did issue a patch for this on July 5th.

            Sorry for the late report, have had my hands full.

            Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
            --
            "Civilization is fun! Anyway, it sure keeps me busy["

            -Zippy

        • #2376055
          rick41
          AskWoody Lounger

          Per an article in TheVerge, “Microsoft has even taken the unusual step of issuing patches for Windows 7.”  So apparently you don’t need extended support to get it for Win 7 via WU.

          (Original version of post with link to article was rejected.)

           

      • #2376027
        Bob99
        AskWoody Plus

        I’m currently on 20H2 build number 19042.1052, and I have hidden the out of band update for the print spooler nightmare, KB5004945.

        If I go ahead and let WU install the Feature Update from 20H2 to 21H1 within the next few days (i.e. before July 13th), will I go to build 19043.1083 (which includes the out of band print spooler fix) or will I simply go from build 19042.1052 to build 19043.1052?

        • #2376832
          anonymous
          Guest

          I took the plunge and decided to use WU to “install” the Feature Update to 21H1 from 20H2.

          I got the answer to my question in looking at the list of installed updates. First, WU installed the latest servicing stack update taking it to 19041.1081, then it installed the Feature Update via the enablement package, then it installed KB5004945, so I am now on build 19043.1083 after having been on 19042.1052.

      • #2376042
        johnyhamm
        AskWoody Plus

        Hi Folks,

        I’ve been dealing with the PrintNightmare since last week and have been doing quite a bit of research into the various mitigations and now the patching recommendations.

        In our environment we do not use Point and Print but I’m looking for some guidance on the recommendation Microsoft published alongside the PrintNightmare patch. The article is this one:

        KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates (microsoft.com)

        My question is this. If we have not configured any of the Point and Print Group Polices should we go ahead and set the Registry key RestrictDriverInstallationToAdministrators anyway? I would need to create the sub key before creating the Registry entry since the PointandPrint subkey doesn’t exist on our endpoints.

        Thanks for your thoughts,

        John

        • #2376058
          Susan Bradley
          Manager

          I’m still digesting, but do you let non admins install print drivers?  In my network, I install all printers and push them out to the workstations, so there is never a “non admin” that installs a driver especially on a print server.  Workstations may be different, but print servers, it’s limited as to whom is installing drivers.

          Susan Bradley Patch Lady

          • #2376100
            johnyhamm
            AskWoody Plus

            Hi Susan

            Not on the print server but I believe non-admins could on an endpoint. Ill need to test. I’m wondering if this Registry key should be set on the endpoints.

            Thanks

            john

            • #2376104
              doriel
              AskWoody Lounger

              End users are usually able to intall network printer for themselves. I mean to add printer to thier profile so they can print an email, or table from excel. Those printers must be installed on printserver by admin.

              User can install printer from the list in “printers and scanners” menu, also by double clicking desired printer from printserver itself. It depends how your network is set up.

              Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

              HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

              PRUSA i3 MK3S+

            • #2376231
              anonymous
              Guest

              There’s a GPO option which stops the print spooler from being accessed remotely, I’m pushing this out to our workstations.  This will stop new printers from being shared out from that station, however.  Eg, I have a couple workstations that need to be able to share out USB-only printers, so this fix wouldn’t work for them.

               

              From how I read it:  Restricting Point and Print to admins would mean that they could not download new drivers on their own.  Eg, you add a new printer to your print server with a new driver package none of your endpoints have seen before, when your users go to add it to their systems they will now be prompted for admin creds to install the new package.  I believe this will be the new behaviour after the July patches regardless.

               

              1 user thanked author for this post.
      • #2376045
        anonymous
        Guest

        586mb download to fix  a small security hole!

        • #2376053
          anonymous
          Guest

          … and it is taking an age to run. Progress bar sits around 20% now and has been there for about 10 minutes.

          Summing up, if you can get by with print spooler off do so and wait for the patch to be delivered via regular monthly patching.

      • #2376054
        anonymous
        Guest

        Something was log-jamming the update. I shut down the install windows after a very long wait with no progress and installed again (without restart). Second time around it ran relatively quickly. Restart resulted in the usual files update and the laptop started with no issues.

        After update I checked services. The temporary fix (print spooler disabled) remained in place. You need to enable it manually after update.

      • #2376071
        Alex5723
        AskWoody Plus

        Windows 7 EOL holdovers will never get any Patch? So just the 7/ESU folks for that!

        0Patch has patched the bug for Windows 7, serves…

        Print Nightmare is going to be a nightmare

      • #2376078
        Microfix
        AskWoody MVP

        Giving this a wide berth on home-use devices for the sake of waiting a week or so.
        Wonder if these W8.1/10 patches contain the ‘June Previews’ as well as the so called ‘fix’?

        | Quality over Quantity |
      • #2376115
        Bruce
        AskWoody Plus

        I’m not sure if this is related, but I notice on a Windows 8.1 Pro system (on which June updates have not yet been applied) that Windows Update no longer lists “2021-06 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5003671)”, but has instead replaced it with “2021-07 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5004954)”. I thought that the KB5003671 also included a patch for a print spooler flaw. Do I need to manually download and install KB5003671, or is the KB5003671 patch also included in KB5004954? I.e., will the July update fix both print spooler vulnerabilities, and if so, is it too early to apply the July update or would it be better to hold off awhile? Note, the system in question is a home system, and I have already disabled inbound remote printing via Group Policy.

        • #2376121
          PKCano
          Manager

          Win8.1 Rollups are cumulative. The latest one takes supersedence.
          The July Monthly Rollups patches will contain previous fixes.

          Win8.1 Security-only patches are NOT cumulative. If you miss one, you miss the security fixes it contains.

          • #2376123
            Bruce
            AskWoody Plus

            So, since the Win8.1 update is a security update, I do need to manually install the missing June update on that system, whereas since the Win10 update is a cumulative update, no further action is required?

            • #2376124
              PKCano
              Manager

              My Win8.1 machine was offered KB5004954 OOB Rollup through Windows Update.
              It you are installing the SOs instead of the Rollups, you will need to manually download/install as usual.

              1 user thanked author for this post.
        • #2376122
          Bruce
          AskWoody Plus

          I notice a similar situation exists for a Windows 10 Pro 20H2 system which has not yet installed June updates.  Windows Update now lists “2021-07 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5004945)”.

          • #2376125
            PKCano
            Manager

            Win10 updates are Cumulative. The latest one supersedes the previous ones.

            1 user thanked author for this post.
      • #2376138
        MrChaz
        AskWoody Lounger

        As the sole user of this device with no printer or email client, I have mitigations in place on Windows 7 within GP and printspooler service. It seems to me, that it’s highly unlikely that this exploit affects my configuration. I’m reluctant to do anything, other than wait for patch Tuesday offerings. What do the experts think? Patch or not?

        illegitimi Non Carborundum
        • #2376147
          b
          AskWoody MVP

          If you are a home user, I don’t see a need to rush this patch on.

          Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

          • #2376154
            MrChaz
            AskWoody Lounger

            Indeed although, this was before any documentation was provided by microsoft. So was Susan Bradley’s advice given due to lack of information upon patch release, or was it in general? It does not seem clear to me and also is there a reason why the msdefcon has not changed to reflect this? sorry, I’m a bit confused about the situation which is why I’m hesitant to update.

            illegitimi Non Carborundum
            • #2376158
              PKCano
              Manager

              MS-DEFCON relates to the Patch Tuesday Security updates, not to Previews, optionals, and OOBs.

              Susan’s recommendation to hold off on the OOBs for Home users was general, not for lack of information.

              4 users thanked author for this post.
              • #2376187
                MrChaz
                AskWoody Lounger

                Thank you! I now see that the blog states that the msdefcon has been changed from 4 to 2 due to some printers not functioning properly after patching the out-of-band patch.

                Just a minor niggle here, would it not serve better to add an edit section to blog articles where and when applicable? It surely keeps track of developments over a time period.

                illegitimi Non Carborundum
              • #2376196
                Susan Bradley
                Manager

                Apologies, when I’m in the thick of tracking side effects I forget to put edit.  Updated.

                I was debating on whether to flip it – as PK says normally the Defcon is for the normal security updates, but given that this is causing printer issues, I decided to make the flip to Defcon2 now.

                Susan Bradley Patch Lady

            • #2376198
              Susan Bradley
              Manager

              This vulnerability is designed for attackers to take over an active directory (network) domain. Stand alone computers won’t be a juicy target.  Especially because this is impacting printers/printer drivers you want to hold back and see if there are side effects. Already Zebra label printers have issues with this update.

              Susan Bradley Patch Lady

              1 user thanked author for this post.
              • #2376200
                Kobold Curry Chef
                AskWoody Lounger

                Hi Susan,

                Do you have a link for the Zebra side effects? We rely on Zebra label printers heavily at our company here. Thanks!

              • #2376357
                Susan Bradley
                Manager

                Susan Bradley Patch Lady

                1 user thanked author for this post.
              • #2376501
                doriel
                AskWoody Lounger

                This is not good. I mean what can we trust, if not Microsoft in releasing patches for security issues? First thing is, that the fix did not repair the vulnerability completely and secondly printing issues can occur if patch is apllied? This is really very unpleassant experience for admins in large corporations. Zebra is considered as premiuim brand, we use them on everyday basis, those printers are crucial for us. Thank you for letting us know, that this fix can cause problems with printing.

                Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

                HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

                PRUSA i3 MK3S+

              • #2376505
                doriel
                AskWoody Lounger

                Just tested KB5004947 on a Server 2019 with NiceLabel printing SW and it works. We can print as usual.

                Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

                HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

                PRUSA i3 MK3S+

              • #2376232
                anonymous
                Guest

                Local systems are still a juicy target as they can be used for Ransomware attacks.  I’ve been locking down all systems just in case.

      • #2376141
        kbecker1213
        AskWoody Plus

        Is anyone else hearing anything where this patch doesn’t fox the vulnerability?

        1 user thanked author for this post.
      • #2376194
        mpw
        AskWoody Plus

        Turned off my desktop last night due to thunderstorms with lots of lightening.  This morning KB5004945 downloaded/installed when I turned the desktop on and I was informed that the computer needed to restart.  Happened fast.

        I had no print problems before and I have none now so I guess all OK.

        Whether or not it fixed the security problem I have no idea.

        HP Pavilion Desktop TP01-0050 – 64 bit
        Windows 10 Home Version 21H1
        OS build 19043.1110
        Windows Defender and Windows Firewall
        Microsoft Office Home and Business 2019
        -Version 2106(Build 14131.20278 C2R)

      • #2376238
        EP
        AskWoody_MVP

        KB5004948 out-of-band update for Windows 10 version 1607 / Server 2016 / LTSB 2016 released July 7:
        https://support.microsoft.com/help/5004948

        KB5004956 monthly rollup & KB5004960 security-only update for Windows Embedded 8 / Server 2012 released July 7:
        https://support.microsoft.com/help/5004956
        https://support.microsoft.com/help/5004960

      • #2376265
        kdpawson
        AskWoody Plus

        Local systems are still a juicy target as they can be used for Ransomware attacks.  I’ve been locking down all systems just in case.

        I agree there are many people working from home on non-domain joined computers that VPN in to AD networks and RDP etc. Would this be a pivot access point? Kinda thinking patch and if printers break deal with it, depending on the situation of course… but what’s better printer doesn’t work or nothing works from a ransomware attack.

      • #2376316
        Alex5723
        AskWoody Plus

        Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability

        Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.

        Last night, Microsoft released an out-of-band KB5004945 security update that was supposed to fix the PrintNightmare vulnerability that researchers disclosed by accident last month.

        After the update was released, security researchers Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability.

        However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems only if the Point and Print policy is enabled…

      • #2376341
        Alan_S
        AskWoody Plus

        Win 10 Pro, 20H2, 64-bit
        This morning I let the system update with the June patches. As always, I took a full image copy before launching Windows Update. I noted KB5004945 was dated 2021-07 but since it had already started, I let it finish and then looked here to search for why the date was 2021-07. My gut feeling is to just leave the patched system as-is and trust (hope?) that MS will sort it all out later. After all, there are millions of users that don’t even know that there is a potential problem and they probably just leave the system to update itself. I could restore from the pre-update image copy but the problem then is that updating can’t be deferred any longer – the “pause updating” date I set after installing the May patches a while back expires tomorrow. I didn’t notice any print problems before the update nor after. So, is my “gut feeling” strategy worth a try or is it plain stupid? Many thanks!

        Moderator edit: Removed HTML. Please paste text only (Ctrl+Shift+V) or into text tab

        • #2376356
          Susan Bradley
          Manager

          If it’s installed and you can print, leave it on.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
        • #2376664
          The Surfing Pensioner
          AskWoody Plus

          KB5004945 installed on my two PCs without incident and I can still print no problem. But I regret to say that I quite like News & Interests; it’s handy having the weather on my taskbar and will be useful to be able to check the news without launching my default browser. I do realise this is an admission of appallingly bad taste.

          1 user thanked author for this post.
          • #2376696
            PKCano
            Manager

            You do realize that Windows is probably using your location and personal information to give you weather for your location and news according to your location and interests?

            • #2376697
              b
              AskWoody MVP

              Those are its best features.

              Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

              • #2376700
                PKCano
                Manager

                Not for someone who is interested in their privacy.

              • #2376704
                mpw
                AskWoody Plus

                I would rather look out the window and pick my own news sources.  I don’t want to follow news, picked by an algorithm, down a rabbit hole.

                HP Pavilion Desktop TP01-0050 – 64 bit
                Windows 10 Home Version 21H1
                OS build 19043.1110
                Windows Defender and Windows Firewall
                Microsoft Office Home and Business 2019
                -Version 2106(Build 14131.20278 C2R)

            • #2376703
              The Surfing Pensioner
              AskWoody Plus

              Yea, and that’s fine. I co-ordinate a voluntary organisation from my home so the whole world knows my locality, email and mobile number. Windows may as well have that information too – who knows, someone on their team may want to make a referral! My career choice leaves no room for paranoia.

      • #2376375
        SFB
        AskWoody Lounger

        https://twitter.com/0patch/status/1412826990168711171

         If you’re using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn’t fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying.

        More links:

        https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

        https://www.bleepingcomputer.com/news/microsoft/microsofts-incomplete-printnightmare-patch-fails-to-fix-vulnerability/

         

         

        1 user thanked author for this post.
      • #2376475
        xyzzy
        AskWoody Plus

        The BleepingComputer article suggests that we install the patches plus do one of the following:

        • Do not install the July 6th patch and install 0Patch’s micropatch instead until a working patch from Microsoft is released.
        • Disable the Print Spooler using the instructions here.
        • Install Microsoft’s July 6th PrintNightmare patch and enable the ‘RestrictDriverInstallationToAdministrators‘ Registry value to only allow Administrators to install drivers to a printer server. You can find instructions on how to configure this Registry value in Microsoft’s support bulletin.

        The last option looked like a good one but I’m confused if that key needs to be applied to *all* systems or just print servers?

        I ask because all of the client systems I’ve checked so far do not have a “Printers” key (and thus no “PointAndPrint” subkey) under HKLM\SOFTWARE\Policies\Microsoft\Windows NT.  Or do I have to add those keys?

        • #2376513
          mpw
          AskWoody Plus

          OK, so the internet is full of complicated ways to disable Print Spooler.  Some involve Group Policy which Win 10 Home users do not have and others involve registry changes using Power shell.  Things do not have to be that complicated.  Here is a simple way to disable Print Spooler until Microsoft comes up with a better patch for PrintNightmare.  It may not be necessary for home users but if you just want to feel safe try this:

          https://computersluggish.com/windows-tutorials/troubleshooting/how-to-disable-the-printer-spooler-in-windows-10/

           

          HP Pavilion Desktop TP01-0050 – 64 bit
          Windows 10 Home Version 21H1
          OS build 19043.1110
          Windows Defender and Windows Firewall
          Microsoft Office Home and Business 2019
          -Version 2106(Build 14131.20278 C2R)

          1 user thanked author for this post.
          • #2376557
            DrBonzo
            AskWoody Plus

            Same method works in Win 7 and Win 8.1. Access Services through the Control Panel, then disable Print Spooler.

        • #2376515
          doriel
          AskWoody Lounger

          The last option looked like a good one but I’m confused if that key needs to be applied to *all* systems or just print servers?

          Enough should disable the key only on print server.
          If attacker controls endpoint PC, the danger of taking control over domain controller is nearly zero.
          Also I think if you have separate print server and separate domain controller (which is best practice, two separate VMs) you are safe too.

          If you open printmanagement.msc there you should see two print servers – local HOST and domain print server (if you have configured one). You need to patch/edit registry for the domain print server. Im talking about enterprise solution here, not basic home computers.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          PRUSA i3 MK3S+

      • #2376591
        anonymous
        Guest

        Today, after installing the 2021-07 update on the VMs that we have and restarted, the VMs came back online fine, then after the installation of the same update on the windows 2012r2 hyper V that these VMs are running on, and restarting the servers the VMs are stuck at start up. I’m having this issue on two physical servers HP-DL380.

        I’m trying to uninstall the update and restart them and see.

        Anyone faced any similar issue?

        • #2376595
          Susan Bradley
          Manager

          Try rebooting the host.  I’ve had instances where the parent isn’t happy and rebooting it gets pending backups/reboots back in shape.

          Susan Bradley Patch Lady

          • #2376614
            anonymous
            Guest

            I’ve restarted the host server couple of times, then as a last resort tried to uninstall the 2021-07 update from the host, restarted the server, and the update is still there, I’ve uninstalled it again and restarting now, and waiting for the server to come back online.

            • #2376627
              Susan Bradley
              Manager

              There’s an event log specifically for the vms that should give you hints.

              Susan Bradley Patch Lady

      • #2376678
        Alex5723
        AskWoody Plus

        0Patch do not have a W7 patch for this issue. “Windows 7 – not affected”
        0patch Blog: Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)

        cheers, Paul

        0Patch has patched Windows 7 a week ago (localspl.dll)

        • #2376777
          Paul T
          AskWoody MVP

          0patch are still saying W7 is not affected – patch applied or not.

          cheers, Paul

          • #2376987
            L95
            AskWoody Plus

            Paul T:   If  W7 is not affected,  then why did Microsoft issue a patch for W7?  The posting from PKCano on July 6th  (Post #2375992 above) indicates to me that Microsoft issued a patch for W7.   I’ll appreciate any clarification you can provide to help clear up my confusion.

             

            • #2377017
              Paul T
              AskWoody MVP

              Are you talking about KB5004958? The MS site says: “Windows 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro”

              As usual, MS are confused and so are we.

              cheers, Paul

              1 user thanked author for this post.
              L95
              • #2377040
                PKCano
                Manager

                The patches for Win7 are KB5004953 and KB5004951 (Rollup/SO).

                1 user thanked author for this post.
                L95
              • #2377175
                L95
                AskWoody Plus

                Paul T:  Thanks for your response.  To answer your question:  No,  I’m not talking about KB5004958.   I’m talking about KB5004951,  as mentioned in the response from PKCano above.  The title of that patch is “KB5004951 (Security-only update) Out-of-band”  and right below that it says it applies to Windows 7,  and then further on down in the article it says “addresses a remote code execution exploit in the Windows Print Spooler service”. 

              • #2377233
                Susan Bradley
                Manager

                https://twitter.com/wdormann/status/1413492432679804928  And I’m seeing that it’s vulnerable.

                Susan Bradley Patch Lady

                1 user thanked author for this post.
                L95
              • #2377251
                L95
                AskWoody Plus

                Susan:  Thanks.   That link appears to apply to 64-bit Windows 7.  But I have 32-bit.   Do you think the same would apply to 32-bit?

      • #2377057
        anonymous
        Guest

        Hi,

        if we have the windows update installed to patch this issue, can we then allow client connections to the computers and turn on the spooler?

        These were both things we had to disable.

        • #2377196
          Paul T
          AskWoody MVP

          To answer both @L95 and anon.
          The exploit allows an ordinary user to gain (domain) admin rights via the print spooler.
          If you are a home user you can manage the risk by not downloading / running unknown software.
          As a domain admin you cannot easily prevent your users running malware so you need to disable the print spoolers and hope the patch arrives before you are compromised.

          cheers, Paul

          1 user thanked author for this post.
          L95
      • #2377221
        Mike W
        AskWoody Lounger

        I’m a non-technical home user with a single computer and single printer.  As a standard practice, I follow your advice and pause updates for an entire month and only resume Windows Updates once per month right before the next Patch Tuesday after I do a system image back-up.

        I just resumed Windows Updates and expected the 2021-06 Cummulative Update for Windows 10 Version 20H2 (KB5003637) to appear and install.  Instead 2021-07 Cummulative Update for Windows 10 Version 20H2 (KB5004945) appeared and installed.  I researched KB5004945 and found this AskWoody article which describes the Print Nightmare problems.  I am able to print wirelessly without any problem after the update.

        Unless you tell me otherwise, I am not inclined to uninstall KB5004945 because I’m not that tech savvy.  I would appreciate your advice considering my simple home system has no printing problems.

        Otherwise, my main question is whether  KB5004945 supercedes KB5003637 and installs everything that was included in KB5003637.  If yes, then I should be secure.  If not, then is my computer exposed or any insecurities?  Please advise.

        Per my standard practice, I will pause Windows Updates again for the next month until just before the August 10 Patch Tuesday unless you have any other advice.

        Thank you for your assistance.

        Windows 10 Home Version 20H2 – OS build 19042.1083

         

        • #2377227
          PKCano
          Manager

          Otherwise, my main question is whether KB5004945 supercedes KB5003637 and installs everything that was included in KB5003637. If yes, then I should be secure.

          Yes, you are correct. Just leave it installed if you are having no problems.

          1 user thanked author for this post.
          • #2377229
            Mike W
            AskWoody Lounger

            PKCano – You’re the best.  You always answer my questions immediately with very clear answers.

    Viewing 26 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Out of band for Print Nightmare is out

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.